domingo, 23 de diciembre de 2012

Runnig rsync over ssh tunnel

I spend one whole day trying to run rsync client over ssh tunneling in one command. At this time I do it. The problem was a & symbol in LocalCommand option of ssh. There is the step for do it.

  1. Create key-pair certificate for non-interactive connection to server
  2. Configure and test client side for no-interactive ssh connection to server
  3. Load nobody user public certificate to server
  4. Configure ssh daemon in server for allow key-pair authentication for user nobody
  5. Test nobody connection to server
  6. Configure rsync server for accept only local connection
  7. Test rsync connection over ssh
# create certificate without password on client side
ssh-keygen -b 2048 -t rsa -f nobody.cert
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in nobody.cert.
Your public key has been saved in nobody.cert.pub.
The key fingerprint is:
28:50:07:52:56:63:35:44:10:57:53:79:bf:53:87:5b main@311c
The key's randomart image is:
+--[ RSA 2048]----+
|  ..=oB**.o...   |
|   + o o . .. .  |
|  .          . o |
|   .   .      . E|
|    . . S      o+|
|     .        .o |
|                .|
|                 |
|                 |
+-----------------+
# private key file nobody.cert and public key file nobody.cert.pub has been create

# create a ssh configuration file
vi $HOME\.ssh\config

# Fill with this
Host <server-ip>
user nobody
Hostname <server-ip>
IdentityFile /home/<user-name>/.ssh/nobody.cert
AddressFamily inet
#BatchMode yes
IdentitiesOnly yes
LocalForward 1873 127.0.0.1:873
ExitOnForwardFailure yes
SendEnv yes
PermitLocalCommand yes

# send public key to server using root or another account
scp nobody.cert.pub root@<server-ip>:/home/nobody/.ssh

# login to server and check nobody user configuration
grep nobody /etc/passwd       
nobody:x:501:501:Linux User,,,:/ffp/home/nobody:/ffp/bin/sh

#go to nobody home folder to add pub key into allowed keys
cd /ffp/home/nobody/.ssh
cat nobody.cert.pub >> authorized_keys

#configure ssh server daemon to allow key-pair authentication
vi /etc/ssh/sshd_config

# verify this lines
Protocol 2
RSAAuthentication yes
PubkeyAuthentication yes    
AuthorizedKeysFile        .ssh/authorized_keys
AllowTcpForwarding yes

# restart ssh server
/etc/init.d/ssh restart

# test connection to server
ssh <server-ip>
# If everything is ok password will not prompted and
# nobody user will be logged, else 
# try setting BatchMode to yes in config file to allows password prompt
# try setting IdentitiesOnly to false
# Check access to folder .ssh for nobody user

#change rsync server configuration file
vi /etc/rsyncd.conf

#put this line at beginning
address = 127.0.0.1

#restart rsync server
/etc/init.d/rsync restart

# try to connect to rsync over ssh with this command
export RSYNC_CMD='rsync -aqrut --port=1873 %d/working/ rsync://localhost/%u/ &'
ssh -o "LocalCommand=$RSYNC_CMD" <server-ip> sleep 2
# The directory $HOME/working will send to rsync 
# symbol & at end is very important, otherwise rsync client will be blocked for an unexplainable reason

# Good Luck
Publicado por en
Etiquetas: , ,

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)