On Tuesday 28 December 2004 17:12, Dmitry V. Levin wrote:
> > I was thinking to the folowing solution, but i don't know if it is
> > secure enough :
> > Create a dummy-shell sor ssh login that only allow the rsync --server
> > --sender command. Then i get the path of the wanted files, and i appene
On 28-12-2004 at 19:12, Dmitry V. Levin wrote:
>Use chroot(2) to get more robust solution.
>See also ftp://ftp.altlinux.org/pub/people/ldv/rshell/
You may want to have a look at this shell:
http://foosh.sourceforge.net/
I use it and it's nice for rsync (I can't do chroot).
- Alessandro
On Tue, Dec 28, 2004 at 05:24:27PM +0100, Bob wrote:
> I would like to avoid using chroot because it implies my dummy-shell
> must run in suid root. Furthermore, it forces to create a jail with the
> binaries and libraries inside. I was thinking to this solution to avoid
> doing this.
Is there
I would like to avoid using chroot because it implies my dummy-shell
must run in suid root. Furthermore, it forces to create a jail with the
binaries and libraries inside. I was thinking to this solution to avoid
doing this. Do you think there are some security issues using realpath
instead of
Hi,
On Tue, Dec 28, 2004 at 04:53:45PM +0100, Bob wrote:
> I have very special needs and i wanted to use rsync over ssh. I don't
> know if a solution already exists for what i want to do. I want to
> provide rsync over ssh to my users. Howevern i want to have the
> following limitations :
> 1.
In the development version of rsync now in CVS, ssh and daemon mode can
be used together by using '-e ssh' along with '::'. That is probably
just what Rob needs, please check it out/test it. The documentation has
been updated to describe putting a ssh wrapper key to to restrict rsync
operations t
This has been discussed before.
The only way to restrict what rsync-over-ssh can do is to lodge the
restriction in the authorized_keys command= field, restricting what
command a given key can run.
For a single rsync invocation it's easy to figure out: just set up
command=/path/to/wrapper
jw schultz <[EMAIL PROTECTED]> writes:
> For the most part there shouldn't be much of a problem. What you
> are talking about doing is erroring out if the path(s) are out of
> bounds, and either adding/removing options or erroring if they are
> missing/present.
>
> You could just take the SSH_ORI
On Sun, Jan 05, 2003 at 07:50:57PM -0600, Rob Browning wrote:
> jw schultz <[EMAIL PROTECTED]> writes:
>
> > I'm just wondering what you are suggesting be added to rsync
> > that couldn't be done by the wrapper you already need.
> >
> > You can already restrict --delete and check the paths rsync
>
jw schultz <[EMAIL PROTECTED]> writes:
> I'm just wondering what you are suggesting be added to rsync
> that couldn't be done by the wrapper you already need.
>
> You can already restrict --delete and check the paths rsync
> will operate on to ensure they are within the designated
> trees. As it
On Sun, Jan 05, 2003 at 06:32:53PM -0600, Rob Browning wrote:
> jw schultz <[EMAIL PROTECTED]> writes:
>
> > A general purpose wrapper could be done but you would have to have
> > ways to tell it to require these options, disallow these options,
> > which of those options require args, and what ar
jw schultz <[EMAIL PROTECTED]> writes:
> A general purpose wrapper could be done but you would have to have
> ways to tell it to require these options, disallow these options,
> which of those options require args, and what arguments must match
> what patterns. A full implementation would probabl
Rob Browning wrote
> Aaron Morris <[EMAIL PROTECTED]> writes:
>
> > I only mention this because I do not believe most people even realize
> > there is this other mode to rsync. I tried describing it to a
> > co-worker who uses rsync regularly, but he kind of just stared at me
> > blankly.
>
> Ri
Aaron Morris <[EMAIL PROTECTED]> writes:
> I only mention this because I do not believe most people even realize
> there is this other mode to rsync. I tried describing it to a
> co-worker who uses rsync regularly, but he kind of just stared at me
> blankly.
Right. I was aware of that mode, but
On Sun, Jan 05, 2003 at 11:30:41AM -0600, Rob Browning wrote:
>
> I was wondering if it's possible to restrict rsync in various ways on
> the server side when it is invoked via ssh. Two restrictions I had in
> mind are disallowing deletes and/or restricting all actions to a
> particular subdirect
I do not think you can use it with ssh, but if you use rsync in rsync
mode (::) instead of just an interface to rsh (:), you can limit the
directories where you can transfer files (using modules). This involves
setting up the rsync daemon on the server side. The rsync daemon has
the ability t
On Fri, Jun 07, 2002 at 11:09:58AM -0700, Mike Rubel wrote:
>
> > Somewhat belatedly, I can report that I use rysnc in daemon mode in
> > conjunction with an SSH tunnel, but using remote port forwarding. I
> > use the method to distribute password and shadow files.
>
> It seemed like this ought
> Somewhat belatedly, I can report that I use rysnc in daemon mode in
> conjunction with an SSH tunnel, but using remote port forwarding. I
> use the method to distribute password and shadow files.
It seemed like this ought to be possible.
So, out of curiousity, why does rsync include a "-e ssh
Dave Dykstra writes:
> On Wed, May 22, 2002 at 02:39:00PM -0700, Mike Rubel wrote:
> > This brings up an interesting question. Does anyone use the server
> > version of rsyncd with an ssh tunnel? In other words:
> >
> > On the server, bring up sshd listening on *:22, and rsyncd accepting
> > con
On Wed, May 22, 2002 at 02:39:00PM -0700, Mike Rubel wrote:
>
> > > If so, I am trying to find the best way to restrict rsync -e ssh on the
> > > remote machine. Prepending the authorized_keys entry with
> > > command='rsync ...' 1024... results in the 'Protocol mismatch - is your
> > > shell cl
2002-05-29-15:55:09 Brian D. Hamm:
> No harsh programming statements please this was my first crack at Perl
> :)
I'll avoid any harsh statements:-).
Your code is not particularly idiomatic perl, but it's exceptionally
clear, and as far as I can see correct. You note in a comment one
spot where y
= localtime;
print SSHOUT ("$now RSYNC COMPLETE\n\n");
} else {
print SSHOUT ("$now RSYNC REQUEST FAILED INSPECTION - SKIPPING
RSYNC\n\n"); }
close (SSHOUT);
Brian D. Hamm, CISSP, CCNA
Network Design & Implementation
(o) 727-939-3080
(c) 727-424-4384
(f) 240-266-7
On Wed, May 29, 2002 at 11:04:37AM -0600, [EMAIL PROTECTED] wrote:
> I don't know ssh well enough to know whether it passes parameters besides
> the ones specified in authorized_keys. I think it passes parameters,
> though, because rsync over ssh is the basis of the IBM Content Promotion
> Too
cc: [EMAIL PROTECTED]
(bcc: Tim Conway/LMT/SC/PHILIPS)
Subject:Re: restricting rsync over ssh
Classification:
On Wed, May 22, 2002 at 10:01:27PM -0400, Brian D. Hamm wrote:
> The --server --sender options left me a little confused. I understand
> what they st
On Wed, May 22, 2002 at 10:01:27PM -0400, Brian D. Hamm wrote:
> The --server --sender options left me a little confused. I understand
> what they stand for but these options are not in the help and they don't
> appear to be variables.
Yes indeed, as I tried to indicate, rsync has a private proto
ssage-
From: Bennett Todd [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 22, 2002 4:23 PM
To: Brian D. Hamm
Cc: [EMAIL PROTECTED]
Subject: Re: restricting rsync over ssh
2002-05-22-14:00:27 Brian D. Hamm:
> Is it true that when running rsync via ssh (i.e. rsync -e ssh ...)
> the rsyncd
You're dealing with an ssh issue there. anybody who can't ssh can't rsync
-e ssh. Maybe you could take the public keys from everybody you want to
use it, and put them into the account you want them to ssh into, in
authorized_keys, with the appropriate command restrictions.
Tim Conway
[EMAIL
> > If so, I am trying to find the best way to restrict rsync -e ssh on the
> > remote machine. Prepending the authorized_keys entry with
> > command='rsync ...' 1024... results in the 'Protocol mismatch - is your
> > shell clean?' error.
This brings up an interesting question. Does anyone use
2002-05-22-14:00:27 Brian D. Hamm:
> Is it true that when running rsync via ssh (i.e. rsync -e ssh ...)
> the rsyncd.conf file is not applicable [...]
Yup. Exactly right. When you're using ssh (or rsh, as far as rsync
is concerned they're interchangeable plug parts) the rsync client
you invoke fr
29 matches
Mail list logo
