login about faq

One of our clients has a requirement to block direct login as the application user, but allow rsync as that user (as well as scp/sftp). They run a job on one system and then transfer the results to several other systems for various types of processing. And they want to do this without entering a password.

It seems like this should be doable via "allowed commands", but I'm not sure exactly what to put there.

asked Dec 14 '11 at 17:19

Kevin%20Vail's gravatar image

Kevin Vail
56161721


Further answer put here in case anyone else searches for this.

Discovered client was using a number of different rsync commands and it didn't look like it was going to be possible to cover them all. So switched them to using rsync's "pseudo-daemon" mode, triggered by explicitly specifying the SSH client (which they were already doing), and using a double-colon to separate the host from the path (which then begins with an rsync "module" name). The only command that has to be added to Allowed Commands, then, is "rsync --server --daemon .". Client has confirmed that it works like a champ!

link

answered Jan 10 '12 at 17:28

Kevin%20Vail's gravatar image

Kevin Vail
56161721

To set up non-user interactive authentication, you can put the password in the command line (not recommended), or can create a user key pair without a passphrase. Please see the following Q&A for set up details.

http://answers.tectia.com/questions/8/how-do-i-setup-public-key-authentication-with-tectia

I wasn't sure what you mean by preventing direct login, but if you mean you don't want to allow Terminal (commands) type of connections, then on your SSH server you can turn off Terminal access and leave open SCP/SFTP.

link

answered Dec 16 '11 at 22:22

Joe%20-%20Tectia%20Support's gravatar image

Joe - Tectia Support ♦♦
55215

That's exactly what I mean by preventing direct login...deny terminal. However, if the user does an "rsync" to this system, I want that to succeed. Putting /usr/bin/rsync in allowed commands doesn't do it, so I'm probably missing something.

I can get this to work for the users who wanted scp/sftp only, but rsync seems like a different creature.

(No problems setting up key pairs or whatever; they're mostly going to do this interactively and use a password.)

link

answered Dec 19 '11 at 20:19

Kevin%20Vail's gravatar image

Kevin Vail
56161721

What OS are you running rsync on?

What SSH clients are being used? Is it a Tectia client?

link

answered Dec 19 '11 at 20:52

Joe%20-%20Tectia%20Support's gravatar image

Joe - Tectia Support ♦♦
55215

Red Hat Linux.

The client is Tectia (so is the server, obviously). The message I get when I try is:

Connection error: Unable to connect to Broker rsync: connection unexpectedly closed (0 bytes received so far) [sender] rsync error: error in rsync protocol data stream (code 12) at io.c(600) [sender=3.0.6]

I don't even get the Tectia banner before this happens, and nothing at all appears in the log that I can find.

link

answered Dec 19 '11 at 21:19

Kevin%20Vail's gravatar image

Kevin Vail
56161721

OK, this may be solved. I had two issues -- one of them being that I have one host that can't rsync at all (always gets the above error, even as myself). When testing with a different host, communicating to the one I set up to allow rsync, I got an error in the error log that indicated the command I have to allow is "rsync --server -dlogDtpr .". When I do that, it works. About to expand the test arena to one of the actual client systems, but that may be all that I needed.

Thank you for your help, Joe!

link

answered Dec 20 '11 at 22:02

Kevin%20Vail's gravatar image

Kevin Vail
56161721

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×16
×15
×3

Asked: Dec 14 '11 at 17:19

Seen: 5,155 times

Last updated: Jan 10 '12 at 17:28

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.