Re: [CentOS] Rsync, SSH and authorized_keys problem
stewart, try this website using anything other than msie browser. http://www.jms1.net/code/rsync-backup.shtml this code has been most excellent for meeting many basic needs. :-) dont forget to give jms1 a shout of thanks - rh ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Rsync, SSH and authorized_keys problem
Hi, I'm trying to backup from one machine to the other (automatically via cron) using rsync and ssh password-less public key authentication. I having been trying to set this up following an article in a Linux magazine[1] by only allowing the specific rsync command to run on the remote box. I am using the following rsync command: $ rsync -avz -e ssh -i ~/.ssh/backup-key /backup stew...@name.of.remote.server:/backup This runs, connects using keys asking for no password and completes successfully until I add the above command to my authorized_keys file on the remote box: command=rsync -avz -e ssh -i ~/.ssh/backup-key /backup stew...@name.of.remote.server:/backup ssh-dss ... key ... The client then says it cannot find the key, so the connection fails. Is it because it's trying to find the private key in the ~/.ssh directory on the remote box? Is the article wrong? Or am I doing something wrong? Should I use the $SSH_ORIGINAL_COMMAND variable? Regards, Stewart Williams [1] http://www.linuxformat.com/pdfs/download.php?PDF=LXF105.tut_backup.pdf ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Rsync, SSH and authorized_keys problem
command=rsync -avz -e ssh -i ~/.ssh/backup-key /backup stew...@name.of.remote.server:/backup ssh-dss ... key ... which user is doing this as maybe the env of that user in cron is not the same as when logged in using a shell ? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Rsync, SSH and authorized_keys problem
Stewart Williams wrote: Hi, I'm trying to backup from one machine to the other (automatically via cron) using rsync and ssh password-less public key authentication. I having been trying to set this up following an article in a Linux magazine[1] by only allowing the specific rsync command to run on the remote box. I am using the following rsync command: $ rsync -avz -e ssh -i ~/.ssh/backup-key /backup stew...@name.of.remote.server:/backup This runs, connects using keys asking for no password and completes successfully until I add the above command to my authorized_keys file on the remote box: command=rsync -avz -e ssh -i ~/.ssh/backup-key /backup stew...@name.of.remote.server:/backup ssh-dss ... key ... I think your issue is the command your specifying is only what is run on the client end, not on the server end. the server runs rsync-server, e.g. from one of my rsync servers: logrsync 5244 0.0 0.0 2152 256 ?S14:03 0:00 rsync --server -vltpre.is --timeout=600 . /nfs/exnas/root/pixelserverlogs/transferlogs/pd3-bgas09// the command I executed on the client is much, much bigger. rsync -rlptve /usr/bin/hpnssh -v -o TcpRcvBufPoll=yes -o NoneEnabled=yes -o NoneSwitch=yes --timeout=600 --files-from=/home /logrsync/jobs/rsync_list_00 --log-format=[%p] %t %o %f (%l/%b) /var/xrt/pickup logrs...@pd3-dc01rsync-vip.pod.xxx.net: /nfs/exnas/root/pixelserverlogs/PD3-BGAS09// /home/logrsync/logs/rsync_worker_00_20090616_153501.log 21 There may be other commands that are executed as well as part of the file sync process other than rsync-server. I suggest if your really paranoid about only allowing file transfers then use the rsync protocol itself. You can encrypt it via a VPN or a ssl tunneling app like stunnel if you want. For me I am happy with just locking the system down so only ssh keys are allowed to login. don't feel the need to try to lock down what keys a particular app can use. And even if I did it wouldn't work since there are about 120 systems that share the same private key to upload and download data to different locations(couple TB of data transferred per day). nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Rsync, SSH and authorized_keys problem
Hi, On Tue, Jun 16, 2009 at 16:59, Stewart Williamsli...@pinkyboots.co.uk wrote: command=rsync -avz -e ssh -i ~/.ssh/backup-key /backup stew...@name.of.remote.server:/backup ssh-dss ... key ... You actually have to include the command that rsync will call on the server side, not the command you use to call rsync on the client side... I did some tests while running ps -ef | grep rsync and I believe it would be something like this: command=rsync --server -vlogDtprze.is . /backup ssh-dss ... HTH, Filipe ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Rsync, SSH and authorized_keys problem
On Tue, 16 Jun 2009 21:59:27 +0100 Stewart Williams li...@pinkyboots.co.uk wrote: command=rsync -avz -e ssh -i ~/.ssh/backup-key /backup stew...@name.of.remote.server:/backup ssh-dss ... key ... well, I've never seen anything other than keys in an authorized_keys file.. (btw - use authorized_keys2 for ssh v2), but I'd hazard a guess and say that the speech marks are what could be causing it grief. try single quotes (') around the command= bit with the double quotes around the ssh command and see if that makes a difference. -- Spiro Harvey Knossos Networks Ltd 021-295-1923www.knossos.net.nz signature.asc Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Rsync, SSH and authorized_keys problem
Hi, On Tue, Jun 16, 2009 at 17:10, Filipe Brandenburgerfilbran...@gmail.com wrote: On Tue, Jun 16, 2009 at 16:59, Stewart Williamsli...@pinkyboots.co.uk wrote: command=rsync -avz -e ssh -i ~/.ssh/backup-key /backup stew...@name.of.remote.server:/backup ssh-dss ... key ... You actually have to include the command that rsync will call on the server side, not the command you use to call rsync on the client side... If you add -v to the SSH command line on the client: $ rsync -avz -e ssh -v -i ... It will print something like this: debug1: Sending command: rsync --server -vlogDtprze.is . /backup That is the exact string you should add to command= on the authorized_keys file on the other end. HTH, Filipe ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Rsync, SSH and authorized_keys problem
Hi, On Tue, Jun 16, 2009 at 17:12, Spiro Harveysp...@knossos.net.nz wrote: well, I've never seen anything other than keys in an authorized_keys file.. See the AUTHORIZED_KEYS FILE FORMAT section in man sshd. (btw - use authorized_keys2 for ssh v2), That file name is deprecated, the file should be named authorized_keys instead. http://marc.info/?l=openssh-unix-devm=100508718416162w=2 try single quotes (') around the command= bit with the double quotes around the ssh command and see if that makes a difference. No, AFAIK the command=... in authorized_keys it needs double quotes. The man page implies it, and I believe I tested it with single quotes and it did not work... HTH, Filipe ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Rsync, SSH and authorized_keys problem
Tom Brown wrote: command=rsync -avz -e ssh -i ~/.ssh/backup-key /backup stew...@name.of.remote.server:/backup ssh-dss ... key ... which user is doing this as maybe the env of that user in cron is not the same as when logged in using a shell ? It's the same user, I haven't added the cron job yet. That's just what I intend on doing, at the moment I am having this problem from the shell. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Rsync, SSH and authorized_keys problem
nate wrote: Stewart Williams wrote: Hi, I'm trying to backup from one machine to the other (automatically via cron) using rsync and ssh password-less public key authentication. I having been trying to set this up following an article in a Linux magazine[1] by only allowing the specific rsync command to run on the remote box. I am using the following rsync command: $ rsync -avz -e ssh -i ~/.ssh/backup-key /backup stew...@name.of.remote.server:/backup This runs, connects using keys asking for no password and completes successfully until I add the above command to my authorized_keys file on the remote box: command=rsync -avz -e ssh -i ~/.ssh/backup-key /backup stew...@name.of.remote.server:/backup ssh-dss ... key ... I think your issue is the command your specifying is only what is run on the client end, not on the server end. the server runs rsync-server, e.g. from one of my rsync servers: logrsync 5244 0.0 0.0 2152 256 ?S14:03 0:00 rsync --server -vltpre.is --timeout=600 . /nfs/exnas/root/pixelserverlogs/transferlogs/pd3-bgas09// the command I executed on the client is much, much bigger. rsync -rlptve /usr/bin/hpnssh -v -o TcpRcvBufPoll=yes -o NoneEnabled=yes -o NoneSwitch=yes --timeout=600 --files-from=/home /logrsync/jobs/rsync_list_00 --log-format=[%p] %t %o %f (%l/%b) /var/xrt/pickup logrs...@pd3-dc01rsync-vip.pod.xxx.net: /nfs/exnas/root/pixelserverlogs/PD3-BGAS09// /home/logrsync/logs/rsync_worker_00_20090616_153501.log 21 There may be other commands that are executed as well as part of the file sync process other than rsync-server. I suggest if your really paranoid about only allowing file transfers then use the rsync protocol itself. You can encrypt it via a VPN or a ssl tunneling app like stunnel if you want. For me I am happy with just locking the system down so only ssh keys are allowed to login. don't feel the need to try to lock down what keys a particular app can use. And even if I did it wouldn't work since there are about 120 systems that share the same private key to upload and download data to different locations(couple TB of data transferred per day). nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I am the only user with shell access to these systems and they are on a private network, so maybe I am going a bit OTT. :) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Rsync, SSH and authorized_keys problem
Filipe Brandenburger wrote: Hi, On Tue, Jun 16, 2009 at 17:10, Filipe Brandenburgerfilbran...@gmail.com wrote: On Tue, Jun 16, 2009 at 16:59, Stewart Williamsli...@pinkyboots.co.uk wrote: command=rsync -avz -e ssh -i ~/.ssh/backup-key /backup stew...@name.of.remote.server:/backup ssh-dss ... key ... You actually have to include the command that rsync will call on the server side, not the command you use to call rsync on the client side... If you add -v to the SSH command line on the client: $ rsync -avz -e ssh -v -i ... It will print something like this: debug1: Sending command: rsync --server -vlogDtprze.is . /backup That is the exact string you should add to command= on the authorized_keys file on the other end. HTH, Filipe Thank you Filipe, I will try this and let you know if it works. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Rsync, SSH and authorized_keys problem
Stewart Williams wrote on Tue, 16 Jun 2009 21:59:27 +0100: command=rsync -avz -e ssh -i ~/.ssh/backup-key /backup stew...@name.of.remote.server:/backup ssh-dss ... key ... As Nate says, the comand on the other end looks different. Here's a good explanation and also a script to check on the other side: http://troy.jdmz.net/rsync/index.html Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos