RSYNC Setup and RSYNC with SSH Setup

RSYNC no SSH /etc/rsyncd.conf looks like the following: use chroot = yes hosts allow = 10.0.0.1 [mysql] path = /apps/data/mysql uid = mysql gid = mysql read only = false comment = MySQL backup (make sure 'hosts allow' is set to the secondary network interface of the opposite system). If you invoke the following command on the primary system,
/usr/bin/rsync -auv --delete /apps/data/mysql/ 10.0.0.2::mysql/
you should see a copy of all the mysql files on the secondary in /apps/data/mysql. If not, then your rsync installation isn't correct yet. RSYNC WITH SSH requirements:
  • rsync
  • openssh
  • cron (or vixie-cron)

Make sure that a remoteuser has read permissions to a /remote/dir/ on a remotehost, and that a local user has write permissions to /local/dir/ on localhost. Also, 'rsync' and 'ssh' should be in the local user's path (use "which ssh" and "which rsync"), 'rsync' should also be in remoteuser's path, and 'sshd' should be running on the remotehost. Test rsync with ssh with: $ rsync -avz -e ssh remoteuser@remotehost:/remote/dir /local/dir/ Generate a private/public pair of keys to allow a 'ssh' connection without asking for a password. This may sound insecure, and it is, but it is better than storing a user password (or key password) as clear text in the script. Furthermore, I can put some limitations on what connections made with this key may do. Anyway, I generate the key I will use on localhost as localuser with: $ ssh-keygen -t dsa -b 1024 -f /home/localuser/cron/id_dsa Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): leave blank Enter same passphrase again: leave blank Your identification has been saved in /home/localuser/cron/id_dsa. Your public key has been saved in /home/localuser/cron/id_dsa.pub. The key fingerprint is: 2e:28:d9:ec:85:21:e7:ff:73:df:2e:07:78:f0:d0:a0 localuser@localhost Now we have a key in the two files mentioned above. Make sure that no other unauthorized user can read the private key file (the one without the '.pub' extension). Chmod 600 on the localhost-rsync-key file. This key will not work until we put the public portion (id_dsa.pub) into the 'authorized_keys' file on remotehost, specifically the one for remoteuser: /home/remoteuser/.ssh/authorized_keys

chmod 755 on authorized_keys Use scp to copy the file to the remotehost: $ scp /home/localuser/cron/id_dsa.pub remoteuser@remotehost:/home/remoteuser/ SSH to the remotehost: $ ssh remoteuser@remotehost Make sure the necessary directory and files exist to authorize connections with this key: $ if [ ! -d .ssh ]; then mkdir .ssh ; chmod 755 .ssh ; fi $ mv localhost-rsync-key.pub .ssh/ $ cd .ssh/ $ if [ ! -f authorized_keys ]; then touch authorized_keys ; chmod 600 authorized_keys ; fi $ cat localhost-rsync-key.pub >> authorized_keys Now the key can be used to make connections to localhost, but these connections can be from anywhere (that the ssh daemon on remotehost allows connections from) and they can do anything (that remoteuser can do). To provide better security edit the 'authorized_keys' file (with vi) and modify the line with 'localhost-rsync-key.pub' information on it. Just add a few things in front of what is already there, changing the line from this: ssh-dss AAAAB3NzaC1kc3MAAAEBAKYJenaYvMG3nHwWxKwlWLjHb77CT2hXwmC8Ap............................ to this: from="10.1.1.1",command="/home/remoteuser/cron/validate-rsync" ssh-dss AAAAB.............................. where "10.1.1.1" is the IP address of localhost, and "/home/remoteuser/cron/validate-rsync" is a script similar to: #!/bin/sh case "$SSH_ORIGINAL_COMMAND" in *&*) echo "Rejected" ;; *(*) echo "Rejected" ;; *{*) echo "Rejected" ;; *;*) echo "Rejected" ;; *<*) echo "Rejected" ;; *`*) echo "Rejected" ;; rsync --server*) $SSH_ORIGINAL_COMMAND ;; *) echo "Rejected" ;; esac Make certain that the 'validate-rsync' script is executable by remoteuser on remotehost and test it. Now that the key is in place and configured, test it out before putting it in a cron job. Exit from the ssh session to remotehost and try: $ rsync -avz -e "ssh -i /home/localuser/cron/localhost-rsync-key" remoteuser@remotehost:/remote/dir /local/dir/ Finally, create a cron script like" #!/bin/sh RSYNC=/usr/bin/rsync SSH=/usr/bin/ssh KEY=/home/localuser/cron/localhost-rsync-key RUSER=remoteuser RHOST=remotehost RPATH=/remote/dir LPATH=/local/dir/ $RSYNC -az -e "$SSH -i $KEY" $RUSER@$RHOST:$RPATH $LPATH Then save the script as something like "rsync-remotehost-bak" Use 'crontab -e' to insert a line for this new cron job that with run at 2AM every day: 0 2 * * * /home/localuser/cron/rsync-remotehost-bak

No comments: