Restricting a ssh key to only allow rsync/file transfer?

Question

I have 2 servers (A & B), and I need to rsync files from A to B as root. Allowing root ssh login is possible (PermitRootLogin without-password), but I'd like to lock it down as much as possible. I'm using ssh keys, and (on B) the root ssh key (in /root/.ssh/authorized_keys) is limited to A's IP address (from="x.x.x.x ...").

But how can I lock (this ssh key) down more? Is it possible to restrict that ssh key to only allow rsync/file transfer (and preferably limited to a certain directory)?

Researching this points me to ancient web pages that mention scponly shell, or rrsync script from rsync, or rssh from OpenSSH. But how can I set them up for just that key, without making my entire root account be rssh ?

Here is an answer demonstrating how to use rrsync: https://serverfault.com/a/915842/117645 rrsync is designed to be used for a particular key, so exactly what you want. — Michał Politowski, Apr 29 '19 at 10:21
@MichałPolitowski that looks interesting. Would you like to add that as an answer? — Amandasaurus, May 03 '19 at 09:16
I usually do not send such reminders, but since you explicitly asked for the answer: was it useful? — Michał Politowski, May 19 '19 at 04:36

score 21 · Answer 1 · answered May 05 '19 at 09:42

rrsync is designed to be used as a forced command for a particular key, so it should be exactly what you want.

A forced command is set up using the command option for a key in an authorized keys file and is then always run whenever this key is used for authentication, no matter what command the client requested. But it has access to the requested command so it can for example implement a validated, restricted version of it and that's what rrsync does.

You use it like this:

command="/path/to/rrsync -wo /allowed/directory/",restrict,from="a.b.c.d" ecdsa-sha2-nistp521 AAAAE...

Access for this key is limited to rsync to the /allowed/directory/ only. The -wo (write only) option means that rsync will be only allowed to send to the remote machine, -ro would only allow reading from the remote system, giving no option would allow transfer in both directions.

On the local side when you give arguments to rsync you must give the remote path relative to the allowed directory, so on A you would do eg. rsync -options /local/path root@B: and not rsync -options /local/path root@B:/allowed/directory/.

See also this answer to a different but related question.

After reading about rrsync it seems that it doesn't disable ssh login, the restrictions only affect to rsync. — aseques, Dec 20 '19 at 08:17
@aseques Of course it does not, but it can be used to restrict a particular ssh key to only rsync, which this question is about. — Michał Politowski, Dec 20 '19 at 08:32
@MichałPolitowski where has this been all my life! Amazing. — cherouvim, Jul 01 '22 at 06:31

score -2 · Answer 2 · answered Apr 29 '19 at 08:25

Not a hard restriction on what type of access but perhaps add a password to your key, then use an agent to add the key to your session. That way you will only have to unlock the key once in a session for password-less ssh/scp/rsync access. In the event that its stolen it has a password protecting it from being used.

Create key with passphrase

ssh-keygen -f mykeyfile
#make sure you add a passphrase when asked

Add key to agent before SSH/SCP/RSYNC usage

ssh-add mykeyfile
#enter password here

Thanks. I'm aware of adding passwords to SSH keys. In this case, a script needs to run every hour or so, and needs to be non-interactive, so I can't have it password protected. — Amandasaurus, Apr 30 '19 at 06:57

Restricting a ssh key to only allow rsync/file transfer?

2 Answers2