velt.de

Rsync wird ja gerne im Zusammenspiel mit SSH verwendet, um Daten zu syncen bzw. Backups zu machen. Mehr als nur "häufig" habe ich dabei bisher gesehen, dass dies mit SSH-Keys ohne Passphrase eingerichtet wurde. Soweit nichts schlimmes dabei. Wenn dann allerdings die SSH-Verbindung auf "root" geht und der Key nicht in seiner Funktionalität eingeschränkt wird, wird's unschön. Deswegen hier eine kleine (undokumentierte) Step-by-Step-Anleitung zum Einrichten von Rsync-über-SSH mit kastriertem Key.

0. Ausschalten des SSH-Agents

MASTER:

svelt@MASTER:~ % unset SSH_AGENT_PID
svelt@MASTER:~ % unset SSH_AUTH_SOCK

1. Erzeugen des neuen Keys

MASTER:

svelt@MASTER:~ % ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/svelt/.ssh/id_rsa): /home/svelt/.ssh/rsync_rsa
Enter passphrase (empty for no passphrase): **ENTER**
Enter same passphrase again: **ENTER**
Your identification has been saved in /home/svelt/.ssh/rsync_rsa.
Your public key has been saved in /home/svelt/.ssh/rsync_rsa.pub.
The key fingerprint is:
49:25:af:f7:16:a4:eb:b7:5b:66:07:37:7c:85:0c:84 svelt@MASTER

2. Kopieren des Keys auf den Server

MASTER:

svelt@MASTER:~ % ssh-copy-id -i .ssh/rsync_rsa svelt@BACKUP.DOMAIN.de
0
Password: **PASSWORT**
Now try logging into the machine, with "ssh 'svelt@BACKUP.DOMAIN.de'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

3. Initialer rsync mit dem Key

MASTER:

svelt@MASTER:~ % rsync -avv -e 'ssh -i /home/svelt/.ssh/rsync_rsa' Doku svelt@BACKUP.DOMAIN.de:tmp/
opening connection using ssh -i /home/svelt/.ssh/rsync_rsa -l svelt BACKUP.DOMAIN.de rsync --server -vvlogDtpr . tmp/ 
building file list ... 
16 files to consider
delta-transmission enabled
Doku/
[...]
total: matches=0  hash_hits=0  false_alarms=0 data=1977241

sent 1978440 bytes  received 324 bytes  1319176.00 bytes/sec
total size is 1977241  speedup is 1.00

4. Setzen des "command" in der authorized_keys

BACKUP:

svelt@BACKUP:~ % cat .ssh/authorized_keys
ssh-rsa AAAA...T7XQ== svelt@MASTER

svelt@BACKUP:~ % vi .ssh/authorized_keys

4a. Aus obigem rsync-Aufruf ableiten

Vorher:   % rsync -avv  -e 'ssh -i /home/svelt/.ssh/rsync_rsa' Doku svelt@BACKUP.DOMAIN.de:tmp/
Nachher:  % rsync -a    -e 'ssh -i /home/svelt/.ssh/rsync_rsa' Doku svelt@BACKUP.DOMAIN.de:tmp/

4b. Genau wissen wollen
BACKUP:

svelt@BACKUP:~ % cat .ssh/authorized_keys
command="set | grep SSH >/tmp/XXX" ssh-rsa AAAA...T7XQ== svelt@MASTER

MASTER:

svelt@MASTER:~ % rsync -a --delete -e 'ssh -i /home/svelt/.ssh/rsync_rsa' Doku svelt@BACKUP.DOMAIN.de:tmp/
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(453) [sender=2.6.9]

BACKUP:

svelt@BACKUP:~ % cat /tmp/XXX 
BASH_EXECUTION_STRING='set | grep SSH >/tmp/XXX'
SSH_CLIENT='194.150.191.251 35877 22'
SSH_CONNECTION='194.150.191.251 35877 194.150.191.2 22'
SSH_ORIGINAL_COMMAND='rsync --server -logDtpr --delete . tmp/'

=> siehe SSH_ORIGINAL_COMMAND

5. authorized_keys setzen

BACKUP:

svelt@BACKUP:~ % cat .ssh/authorized_keys 
command="rsync --server -logDtpr --delete . tmp/" ssh-rsa AAAA...T7XQ== svelt@MASTER

6. Testen

MASTER:

svelt@MASTER:~ % rsync -a --delete -e 'ssh -i /home/svelt/.ssh/rsync_rsa' Doku svelt@BACKUP.DOMAIN.de:tmp/
svelt@MASTER:~ % echo $?
0

MASTER:

svelt@MASTER:~ % touch Doku/FIXME
svelt@MASTER:~ % rsync -avv --delete -e 'ssh -i /home/svelt/.ssh/rsync_rsa' Doku svelt@BACKUP.DOMAIN.de:tmp/
opening connection using ssh -i /home/svelt/.ssh/rsync_rsa -l svelt BACKUP.DOMAIN.de rsync --server -vvlogDtpr --delete . tmp/ 
building file list ... 
done
Doku/
Doku/FIXME
total: matches=0  hash_hits=0  false_alarms=0 data=0

sent 439 bytes  received 48 bytes  324.67 bytes/sec
total size is 1977241  speedup is 4060.04