Rsync with ssh-keygen to ssh user with limited commands and specifc directory
I have two machines, local and remote.
I want to back up my files and folders to the remote machine automatically, using rsync to transfer files and folders, using ssh-keygen to automatically log into the remote machine.
I can do this as ssh root, but that will be a bit of security risk: someone can log directly into the remote machine as root if the local files have been compromised.
I tried rssh but I couldn’t log in automatically using ssh-keygen.
What I am looking for is a way to create an ssh user with limited access to shell commands and with access only to a specific directory safe for automatically logging in with no harm to the remote machine.
You can limit the command run when using a ssh key-pair by using command="...."
into ~/.ssh/authorized_keys
file. Example took from here:
$ cat ~/.ssh/authorized_keys
command="/usr/local/bin/rsync --server -vlogDtprz --delete . /tmp",no-pty,no-agent-forwarding,no-port-forwarding ssh-rsa AAAAB3NzaC1y[...] kattoo@spaghetti
rsync includes a rrsync example script that can restrict rsync.
Example:
command="/usr/local/bin/rrsync -ro /data",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa [...]
That way you don't have to hardcode the commandline from the client on the server.