Rsync with ssh-keygen to ssh user with limited commands and specifc directory

I have two machines, local and remote.

I want to back up my files and folders to the remote machine automatically, using rsync to transfer files and folders, using ssh-keygen to automatically log into the remote machine.

I can do this as ssh root, but that will be a bit of security risk: someone can log directly into the remote machine as root if the local files have been compromised.

I tried rssh but I couldn’t log in automatically using ssh-keygen.

What I am looking for is a way to create an ssh user with limited access to shell commands and with access only to a specific directory safe for automatically logging in with no harm to the remote machine.


You can limit the command run when using a ssh key-pair by using command="...." into ~/.ssh/authorized_keys file. Example took from here:

$ cat ~/.ssh/authorized_keys 
command="/usr/local/bin/rsync --server -vlogDtprz --delete . /tmp",no-pty,no-agent-forwarding,no-port-forwarding ssh-rsa AAAAB3NzaC1y[...] kattoo@spaghetti

rsync includes a rrsync example script that can restrict rsync.

Example:

command="/usr/local/bin/rrsync -ro /data",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa [...]

That way you don't have to hardcode the commandline from the client on the server.