Hi, I'm having problems with the command= syntax in the authorized_keys file. I'm running rsync 2.5.6. I've searched the list archives for "authorized_keys" and "protocol version mismatch", but I can't seem to derive a solution from those threads. Simply put, my goal is to let a group of 15 to 20 users update a set of files in a single user account on a group of remote machines that don't share a file system. But, I want ssh, via the forced-command syntax, to allow these users only to run rsync (i.e. not get a login shell or run some other command). Once that's working, I'll mess with rsyncd.conf to further restrict what they can do. I'm trying to do what it says in the man page section titled "RUNNING AN RSYNC SERVER OVER A REMOTE SHELL PROGRAM". I have my ssh public keys all distributed and rsync works fine for me if I don't use the forced-command syntax in the authorized_keys file. For reference, my rsync command line looks like this: rsync --dry-run --verbose --checksum --recursive --copy-unsafe-links --times --rsh=ssh --rsync-path=/usr/local/bin/rsync --delete --timeout=30 --ignore-times --compress /foo/bar/baz <ruser>@<rhost>:/home/ruser/bar Attempt 1: I first tried doing this in authorized_keys command="rsync --server --daemon ." <key> When I did that, I got the famous error: protocol version mismatch - is your shell clean? (see the rsync man page for an explanation) rsync error: protocol incompatibility (code 2) at compat.c(62) Attempt 2: Then, I tried this in authorized keys, so I could see what the original command was: command="echo $SSH_ORIGINAL_COMMAND" <key> But, that gave the same error when I ran my rsync command: protocol version mismatch - is your shell clean? (see the rsync man page for an explanation) rsync error: protocol incompatibility (code 2) at compat.c(62) If I just ran something simple like ssh <ruser>@<rhost> foobar, it would print out "foobar" as expected. Attempt 3: Finally, I tried changing authorized_keys to: command="/bin/true" <key> to see if there was any garbage from my dot files. All I saw was the banner message as specified in the sshd_config file with the keyword Banner. That goes to stderr, not stdout if that makes a difference. When I ran my rsync command, I got: rsync: connection unexpectedly closed (0 bytes read so far) rsync error: error in rsync protocol data stream (code 12) at io.c(165) When I ran "ssh <ruser>@<rhost> foobar", all I got was the banner message. If I ran just "ssh <ruser>@<rhost>", I got the banner followed by the line "Connection to <remote_machine> closed." Does anyone have any ideas how I can make this work? Is there a different/better way to do the same thing? If it makes any difference, all machines involved are Solaris 7 and ssh is version 3.4p1. I'm not the admin on these machines, so a solution that does not require root privs would be best. Thanks, Marc
David Starks-Browning
2003-Apr-23 06:57 UTC
Running an rsync server over a remote shell program
Sorry for the late response. On Wednesday 16 Apr 03, Marc Sarrel writes:> Hi, > > I'm having problems with the command= syntax in the authorized_keys > file. I'm running rsync 2.5.6. I've searched the list archives for > "authorized_keys" and "protocol version mismatch", but I can't seem > to derive a solution from those threads. > > Simply put, my goal is to let a group of 15 to 20 users update a set > of files in a single user account on a group of remote machines that > don't share a file system. But, I want ssh, via the forced-command > syntax, to allow these users only to run rsync (i.e. not get a login > shell or run some other command). Once that's working, I'll mess > with rsyncd.conf to further restrict what they can do. > > I'm trying to do what it says in the man page section titled "RUNNING > AN RSYNC SERVER OVER A REMOTE SHELL PROGRAM". I have my ssh public > keys all distributed and rsync works fine for me if I don't use the > forced-command syntax in the authorized_keys file. > > For reference, my rsync command line looks like this: > > rsync --dry-run --verbose --checksum --recursive --copy-unsafe-links > --times --rsh=ssh --rsync-path=/usr/local/bin/rsync --delete > --timeout=30 --ignore-times --compress /foo/bar/baz > <ruser>@<rhost>:/home/ruser/bar > > Attempt 1: > > I first tried doing this in authorized_keys > > command="rsync --server --daemon ." <key> > > When I did that, I got the famous error: > > protocol version mismatch - is your shell clean? > (see the rsync man page for an explanation) > rsync error: protocol incompatibility (code 2) at compat.c(62)When I've needed to set the command= parameter in a authorized_keys file (just two weeks ago, actually), I simply invoke rsync (client) with the -vv option. This tells me exactly what command is being invoked remotely. From that you can easily construct your command string. I found that all options (--checksum --recursive ...) are included in the remotely-invoked command. Maybe that's your problem here. (Also "." and "/home/ruser/bar" don't match.) Note that I have not considered the possibility to use rsyncd.conf on the remote site. Good luck! Regards, David