osync
osync copied to clipboard
deajan
Is it possible to use osync by only allowing rsync?
Hi,
I have a situation in which I want to sync files with osync, however, I do not trust the computer that initiates the sync process completely. Therefore, I created an extra user on the server to sync with which has as shell rssh. rssh is configured in a way that only the rsync command is allowed. However, when I start the osync process I get an error that only rsync is allowed during the login process. This means, that osync is using something besides rsync during the process. Since I do not know how osync works internally, I wanted to ask if it is possible to use osync in a way that it only uses rsync?
Cheers, sqall
I think this is mostly related to #185. osync uses litteral bash scripts it sends remotely to execute certain tasks (ie deletion, checks, locking etc) so just allowing rsync isn't possible.
In your case, why not reverse the osync initator on a trusted comptuer and use the target-helper so syncs get triggerd from the untrusted one ?
Thanks for the response and sorry for my late reply.
If I would switch initiator would this not mean that my untrusted host has to be reachable from the Internet? Because the untrusted host is a client which is not reachable from the Internet. Or do I misunderstand the meaning between initiator and target?
Sorry for my late response now... Could you elaborate a bit ? Not sure I'm understanding what you're trying to achieve.
Ok, here is my scenario:
I have a server which has a folder with files. I have a client (a laptop which switches networks) which should sync the folder from the server when I log in. However, I do not trust the laptop with having a SSH key for my server (because I am not the only one with access to it). Hence my question, if I can somehow restrict the access needed to my server.
Using a passphrase for my SSH key does not work for me, because osync initiated so many connections that I have to enter it the passphrase multiple times. My solution at the moment is to create an encrypted folder on the laptop which contains a SSH key without any passphrase. When log in, I am asked for the password for the encrypted folder, then osync syncs everything and the encrypted folder is closed again.
Hmm... First of all, the ssh key to the server could be restricted to the sole folder you want (create a user which home directory is the folder on the server). Secondly, using a controlmaster, the connections are initiated only once.
A SSH controlmaster will leave an unix socket open between both hosts, so further SSH connections won't need to reauthenticate. osync v1.3 (current master) allows usage of a controlmaster via SSH_CONTROLMASTER=true
See https://github.com/deajan/osync/issues/177
You might also configure directly a controlmaster in your /etc/ssh/ssh_config file.
I tend to configure them directly in my /etc/ssh/ssh_config file like
Host *
ControlMaster auto
ControlPath ~/.ssh/control-master-%r@%h:%p
ControlPersist 1800s
You may replace '*' by the IP of your server.
I'd support this request as I have a similar scenario, but no such control over the remote server at all. Im running an architecture which involves a server in local network backed by a cloud service provider supporting rsync/ssh protocol. So actual data can fastly be up- and downloaded in LAN from/to that local server, which then should synchronize this data with the cloud environment on a regular basis (like every night). A reliable two-way synchronization is desired and osync itself looks promising in tests.
However - the cloud service allows rsync via ssh but obviously refuses direct ssh connections for safety reasons ("shell access not allowed") and I have no possibility to change that. So an rsync-only solution (probably less sophisticated, eg. without server-side soft-deletion which comes as a feature of that cloud service anyway, but though working) to achieve a two-way sync would be really desirable. I assume the client side would have to maintain server&client state snapshots which will likely be more error prone, but should be manageable on a well controlled environment like a server.
Edit: currently I use a workaround via dedicated upstream and downstream directories to manage local and remote access, but thats far less intuitive and more difficult to manage as it requires moving files in downstream to upstream on the local server and delete the downstream on the server as soon as it has been moved locally.
