This site is now 100% read-only, and retired.

XML logo

Allowing uploads via rsync+ssh with a public key
Posted by lee on Sun 5 Dec 2010 at 03:27
Tags: ,

Assuming you want to allow uploads to a webhost from a third party that has generated a public key for this purpose.

Set up the account

The following will create a new user and user directory in the standard location
sudo adduser --disabled-password --gecos 'rsync user' rsync01
Alternatively, the home can be set to an existing location as configured in apache. (Note that this shouldn't itself be a directory server by Apache)
sudo adduser --disabled-password --gecos 'rsync user \
  --no-create-home --home /srv/web/example.com rsync01
Then add the id_rsa.pub file into the user's authorized_keys file
sudo su -l rsync01
mkdir -m 700 ~/.ssh
cat /tmp/id_rsa.pub >> .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
mkdir ~/docs

Restricting further access

You'll want to tie the remote user to only using rsync and only in a specific sub-directory, so you probably want to install rrsync.

It's already included in the Debian disribution of rsync.

sudo cp /usr/share/doc/rsync/scripts/rrsync.gz  /usr/local/bin/
sudo gzip -d   /usr/local/bin/rrsync.gz
sudo chmod 755 /usr/local/bin/rrsync
Then modify the new user's authorized_keys
sudo vim ~rsync01/.ssh/authorized_keys
And prefix the key with command specifying the sub-directory to be used, e.g. ~/docs
command="/usr/local/bin/rrsync docs" ssh-rsa AAA...

Note: by locking the command to the specified subdirectory, the "full path" from the point-of-view of the uploader is "/".