rsync icon indicating copy to clipboard operation
rsync copied to clipboard
verified publisher icon WayneD

allow external user auth for rsync daemon over ssh scenario

Open arekm opened this issue 4 years ago • 0 comments

I'm using rsync in daemon mode over ssh. This has obvious benefit of encrytped ssh as a transport.

Shell account with "rbackup" login, with ssh keys based access only:

$ cat .ssh/authorized_keys
from="127.0.0.1",command="RSYNCD_FORCE_USER=myuser"; /usr/bin/sudo /home/users/arekm/rpm/BUILD/rsync-3.2.3/rsync --config=/home/rbackup/rsyncd.conf --server --daemon .",restrict ssh-rsa AAAAB3NzaC1yc2...
from="127.0.0.1",command="RSYNCD_FORCE_USER=someotheruser; /usr/bin/sudo /home/users/arekm/rpm/BUILD/rsync-3.2.3/rsync --config=/home/rbackup/rsyncd.conf --server --daemon .",restrict ssh-rsa AAAAB3Nzadfdsf...

# cat /etc/sudoers.d/rbackup
Defaults:rbackup env_keep += "SSH_CONNECTION"
rbackup ALL=NOPASSWD: /home/users/arekm/rpm/BUILD/rsync-3.2.3/rsync --config=/home/rbackup/rsyncd.conf --server --daemon .

$ cat /home/rbackup/rsyncd.conf 
log file = /var/log/rsyncd.log
uid = root
gid = root
use chroot = yes

transfer logging = yes
read only = yes

[bin]
        path = /bin
        comment = bin

[sbin]
        path = /sbin
        comment = sbin

That works quite well. I get ssh client IP (from $SSH_CONNECTION) logged in nicely (but only IP unfortunately)

2021/02/05 17:24:48 [3676190] connect from localhost (127.0.0.1)
2021/02/05 16:24:48 [3676190] rsync on bin/bash from localhost (127.0.0.1)

This is feature request about allowing external auth using shell variable, in this case set by sshd itself (and without using rsync secrets file).

I have two (or more) keys in .ssh/authorized_keys. Each belongs to different user. I can set some variable like RSYNCD_FORCE_USER with different value for each user that could be then used by rsync internally as "auth_user".

That would give all rsyncd bells and whistles without second (rsyncd secrets based) auth. So "auth users" would work and user would be logged in rsyncd.log.

The only thing rsync would need to do is to use some variable (RSYNCD_FORCE_USER as example) as forced auth user, in auth_server() probably.

Crude (but working) patch to show what I mean attached. rsyncd-foce-user.patch.txt

With it

[bin]
        path = /bin
        comment = bin
        auth users = arekm

$ rsync -avP -e 'ssh' rbackup@localhost::bin/bash .

2021/02/05 17:43:07 [3679894] rsync on bin/bash from arekm@localhost (127.0.0.1)

arekm avatar Feb 05 '21 17:02 arekm