Restrict SSH key to only execute rsync

Question

I am working on a backup strategy for my servers with rsync. I followed this tutorial and to restrict the use of the SSH key, I make of this validate-rsync.sh script that I can also run without problems:

#!/bin/sh

case "$SSH_ORIGINAL_COMMAND" in 
*\&*) 
echo "Rejected" 
;; 
*\(*) 
echo "Rejected" 
;; 
*\{*) 
echo "Rejected" 
;; 
*\;*) 
echo "Rejected" 
;; 
*\<*) 
echo "Rejected" 
;; 
*\>*) 
echo "Rejected" 
;; 
*\`*) 
echo "Rejected" 
;; 
*\|*) 
echo "Rejected" 
;; 
rsync\ --server*) 
$SSH_ORIGINAL_COMMAND 
;; 
*) 
echo "Rejected" 
;; 
esac

The beginning of the authorized_keys file looks like this:

command="/home/$USERNAME/validate-rsync.sh" ssh-rsa....

As far as I understand, I should not be able to remotely connect via SSH (from the server where the backup lies) and then e.g. execute mkdir xx. But somehow, I can still do it. What could be the problem?

I am grateful for any help.

Your authorized key format looks right, so I'd like further at your script. — Jason Martin, Mar 06 '17 at 19:38

gdm · Answer 1 · 2021-03-25T09:47:03.720

1

You can force use of rsync by editing the public key in the authorized_keys file on the server, like this:

command="/usr/bin/rsync -wo /path/to/data",no-port-forwarding ssh-rsa ....

edited Mar 25 '21 at 09:47

answered Mar 24 '21 at 10:32

gdm

459
2
5
19

Johannes Filter · Accepted Answer · 2017-04-24T19:52:14.633

0

I figured it out myself. I set the command in front of the wrong SSH key... I'm sorry for bothering.

edited Apr 24 '17 at 19:52

answered Mar 07 '17 at 10:11

Johannes Filter

149
1
8

Restrict SSH key to only execute rsync

2 Answers2