Nevermind. I figured it out after some trial and error. Basically I have
my forced ssh command script intercepting the rsync call and setting the
parameters myself.
Thanks all of for your help. I still may have more questions but so far it
is looking good!
Doug
On Dec 7, 2007 2:29 PM, Doug Lochart <[EMAIL PROTECTED]> wrote:
> Matt,
>
> Questions for you based on your earlier response
>
> >
> > Anyway, it's easy do a secure rsync daemon setup with ssh connections
> > and authentication. Make a separate daemon configuration file for each
> > user listing only the modules he/she is allowed to access. Then set
> > each user's forced command to invoke a single-use daemon with the
> > appropriate configuration file ("rsync --daemon --server
> > --config=<rsyncd-user.conf> ."). The situation for multiple single-use
> > daemons sharing a single log file is exactly the same as for multiple
> > concurrent connections to a background daemon: lines of output get
> > intermingled, but nothing terrible happens.
> >
>
> I am going to take this approach and mix it with something else I thought
> of but I still have a few questions. I am playing with am rsync_wrapper
> script that makes sure that only rsync commands are executed within the SSH
> shell. I adapted the one on the rsync site. You mention "each user's
> forced command". When you say this are you referring to the client side
> rsync command OR forcing the issue within an rsync_wrapper script?
>
> What I really would like to do is remove some of the stuff on the client
> side and simply embellish the server side rsync command within the
> rsync_wrapper. I would also like to point the server to the rsync module
> for that client .
>
> So basically if this acme across to in SSH_ORIGINAL_COMMAND for user foo
>
> rsync --log-file=/tmp/rlog --server -vlogDtpr --log-format=%o .
> /data/foo
>
> I would manipulate the command to do this:
>
> rsync --log-file=/tmp/rlog --daemon --server -vlogDtpr
> --config=/home/foo/rsyncd.conf --log-format=%o . /data/foo
>
> Can this be done OR do you recommend passing the --daemon in the
> --rsync-path option from the client?
>
> >
> > You don't have to write a separate configuration file for each user
> > manually. You can force a script that generates a configuration file
> > specific to the user from a global template and provides the file to the
> > daemon on one of its fds. A better alternative might be to enhance
> > rsync with a --client-user=USER daemon option that makes the daemon
> > assume the client is USER without performing its own authentication
> > protocol. Then all the forced commands could use a single configuration
> > file but pass different --client-user options.
> >
> > Matt
> >
> >
>
>
> --
> What profits a man if he gains the whole world yet loses his soul?
>
--
What profits a man if he gains the whole world yet loses his soul?
--
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
