- 2013-06-18 Adding change rbackup user’s login shell section.
- 2013-06-14 A few steps updated, thanks in part to contributors. Notably, the
rbackupuser doesn’t necessarily need to be created on the backup server (uno) as described originally.
- 2011-01-07 Initial post.
To rsync and/or rsnapshot both normal and protected/restricted files from one server to another over ssh without enabling remote root access to either server while maintaining original file attributes and permissions. Whew.
Cast of Characters
- uno: the server which will store the backups, run rsync or rsnapshot.
- zero: the server to be backed up, with root readable files (/etc for example).
- root on both uno and zero, hopefully via sudo and not by remote root ssh access!
The command examples here are specific to Debian and Ubuntu, so adjust to your distribution accordingly (though little if any adjustment should be necessary).
Server: uno (backup server)
Become root, create an ssh key pair:
When naming the key, don’t accept the default. Instead, enter
We’re naming the key pair with ‘rbackup’ in it to keep track of what the keys are for.
As root, create a ssh config file:
In root’s .ssh/config file:
1 2 3 4 5
Save the file, set permissions:
While still root, copy the public key
id-rbackup_rsa.pub somewhere publicly
accessible, such as your regular user’s home directory.
As your regular user (which already has ssh access to zero), send this public key from uno to zero:
Server: zero (server to be backed up)
Create new backup user, lets call it
Make uno’s public key
id-rbackup_rsa.pub available to user rbackup.
Login as rbackup, create a .ssh directory, set permissions, create an
1 2 3 4 5 6 7
Now we want to limit the use of this authorized key by allowing connections only from uno, and allowing one command only. Edit the key, and add something like this to the beginning of the key:
While still user rbackup, create a script named
validate_rsync.sh in your
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Make sure that
validate_rsync.sh is executable by user (and group) rbackup:
As your regular user (which can sudo):
Add this line to the bottom:
For a little added security, set the rbackup user’s login shell to the
When prompted to choose the login shell, enter
If you have the
AllowUsers directive set for sshd in
make sure to add the user
rbackup to the list, and restart sshd.
As root or with sudo, create a simple rsync wrapper, named
rsync_wrapper.sh at /usr/local/bin,
Become user rbackup on uno, attempt ssh to zero:
The “Connection closed.” with the period at the end tells us the
validate_rsync.sh worked as expected (echoing the last Connection closed).
Become root on uno, attempt to ssh to zero-rsync (the alias set in root’s .ssh/config):
Become root on uno, attempt to rsync something on zero that is restricted:
Expected response: you should have a copy of zero’s /etc directory in regular users tmp directory (or wherever). Important things to note in the above command - the –rsync-path switch and using zero-rsync as the host instead of just zero.
If the above tests all work, setting up rsnapshot is easy. Check any other guide for general setup info, the relevant stuff for us to use in our rsnapshot.conf is:
Remember the rsnapshot.conf file needs tabs. The
rsync_long_args setting is
rsnapshot’s default rsync arguments, with our
backup command has our backup user (rbackup) and the host alias
set in [email protected]’s .ssh/config.
This was pieced together from various notes, blogs, and articles. Some script source and extra-helpful information was found at: