Can't get rsync to work in daemon-over-ssh mode

Solution 1:

There seems to be a bug in the documentation or the implimentation of rsync. man rsync says:

Rsync supports connecting to a host using a remote shell and then spawning a single-use “daemon” server that expects to read its config file in the home dir of the remote user.

but when connecting to root, according to /var/log/messages, it was looking in /etc/rsyncd.conf for the config file (the standard location for an rsyncd.conf file when not used over SSH.

I had to force the ssh server to use the right config file by adding

command="rsync --config=/root/rsyncd.conf --server --daemon ."

to /root/.ssh/authorized_keys.

The reason I didn't just put the config in the default location is that I didn't want someone to accidentally start a normal rsync daemon - I only want a daemon to have this much access when it has got the correct ssh key.

Solution 2:

rsync in daemon mode isn't what I would suggest if you want to lock it down tight as possible. You want to restrict the command that an SSH key is allowed to run and invoke the copy command using that key.

To find out what command to restrict the key to, run the appropriate rsync command line with a slight modification in the ssh command:

rsync -avz -e 'ssh -v' stuff somewhere:/place

You will see a line in the debug output such as:

debug1: Sending command: rsync --server -vlogDtprze.iLs . /place

That exact command is what you want to restrict the key to be able to run in .ssh/authorized_keys:

command="rsync --server -vlogDtprze.iLs . /place" ssh-dss AAAASSHKEY=