最後更新: 2021-12-28

介紹

rsync package has a helper script that facilitates restricting rsync (rrsync) # perl script

Setup

1) rrsync 要配會 authorized_keys 使用

~/.ssh/authorized_keys format

options keytype base64-encoded key comment

ie.

command="/usr/bin/rrsync /path/to/subdir/",restrict ssh-rsa {PUBLIC_KEY}

Remark

restrict: Enable all restrictions

相當於

• no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-pty,no-user-rc

2) 把 rrsync 放到合適位置

RRSYNC=$(rpm -ql rsync | grep rrsync)

if [ -f $RRSYNC ]; then cp $RRSYNC /usr/bin; fi

ls -l /usr/bin/rrsync

3) rrsync 設定

# The restricted rsync command takes a single argument, the sub directory to restrict the user's actions.

# This option might be useful to restrict certain public keys to perform just a specific operation.

e.g

Use 'command="/usr/bin/rrsync [-ro|-wo] SUBDIR"'

e.g.

# allow read-only rsync commands

command="/usr/bin/rrsync -ro /path/to/subdir/"

4) Test

# Orig

rsync -a -e 'ssh -p 22001' rsync_dir/ User@Server:/path/to/subdir/

# After rrsync

rsync -a -e 'ssh -p 22001' rsync_dir/ User@Server:

# ssh

ssh User@Server

PTY allocation request failed on channel 0               # no-pty 起作用
/usr/bin/rrsync: Not invoked via sshd
Use 'command="/usr/bin/rrsync [-ro|-wo] SUBDIR"'
        in front of lines in /home/vhosts/tim.hostlink.com.hk//.ssh/authorized_keys
Connection to tim.hostlink.com.hk closed.

ssh User@Server -- uptime

/usr/bin/rrsync: SSH_ORIGINAL_COMMAND='uptime' is not rsync