rsync - Feb 2021 - rsync support in authprogs - feedback requested

Authprogs <https://github.com/daethnir/authprogs/> is a general purpose
SSH
command authenticator; it allows you to restrict what commands are allowed
for a given SSH key. It's installable via pip and is in recent Debian and
Ubuntu.

I recently added initial rsync support to authprogs. My goal is to make it
an improvement over  rrsync, providing more than just upload vs download
and directory support.


I'd be very interested in feedback from two communities:

* end users/admins who would be interested in the functionality, and
* developers to help sanity check the implementation

While authprogs has been around for many years, this is the first version
that supports rsync natively. Here's an example config:

from:
    - 10.1.0.0/16
    - 192.168.0.15
allow:
    # Allow rsync to recursively sync /tmp/foo/ to the server
    # including all the bits you get with '-a', but do not
    # allow downloads
    - rule_type: rsync
      allow_upload: true
      allow_recursion: true
      allow_archive: true
      paths:
        - /tmp/foo

    # Allow upload to some specific /srv/htdocs files and
    # any files/directories under /data/lhc/
    #
    # Allow setting times, owner, and group, but no other options
    - rule_type: rsync
      allow_upload: true
      allow_owner: true
      allow_group: true
      allow_times: true
      paths:
        - /srv/htdocs/index.html
        - /srv/htdocs/status.html
      path_startswith:
        - /data/lhc/


I've just started scratching the surface of the server-side options of
rsync, but have implemented all the most common ones (-a, -logptrD, --del,
--delete-*, -vvvv, etc).

The rsync docs are at
https://github.com/daethnir/authprogs/blob/main/doc/authprogs.md#rsync-subrules


Feedback heartily requested.


-- 
Bri Hatch, Systems and Security Engineer. http://www.ifokr.org/bri/

The sooner you fall behind, the more time you'll have to catch up.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.samba.org/pipermail/rsync/attachments/20210217/7a33ce45/attachment.htm>

On Wed, 17 Feb 2021 21:52:06 -0800
Bri Hatch via rsync <rsync at lists.samba.org> wrote:
> I recently added initial rsync support to authprogs.
> I'd be very interested in feedback 
For some 15 years+ (?) I've had a /root/.ssh/authorized keys line
that starts with:

"no-pty,no-agent-forwarding,no-port-forwarding,no-user-rc,no-X11-forwarding,command="rsync
--server --daemon ."

Occasionally I frob the ssh restrictions as new ones are
introduced.

The remote end uses rsync to backup (with --link-dest) the
entire file system.  The idea (iirc) was to restrict
the given key so that it would only run rsync.
And I think this also forces the local end to use
/etc/rsyncd.conf, where there's an additional layer
of security via a secrets file and read-only can
be set to provide some control.

The remote end always runs rsync -- the direction of 
transfer is static, per-host-pair, but can be either
in or out. (Push or pull backups.) The above authorized_keys 
line does not enforce direction, which might be useful.

I only rarely think about tweaking the authorized_keys line, 
and the rsync options used haven't changed since I got them to work.
Without really thinking about it it seems that your
authprogs development might be useful.  

My purpose with this email is to let you do all the 
thinking and tell me of all the wonderful utility
your authprogs work can provides, either now or
in the future.  ;-)  Or at least give you some
background in case you want to develop in a direction
that you think would helpful to me.  If something comes
of this I might even turn my brain on again and
modify my systems.  :)

Regards,

Karl <kop at karlpinc.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein