Restrict SSH access to only allow rsync

Rsync is still one of the most popular tools to synchronize files between two systems. Although it has a few caveats when dealing with special files, it can do its job very well. In this explainer we will show how to use it in combination with SSH and at the same restrict SSH access to only allow the rsync job to run.

In this article we refer to system01 having the original files and it wants to send them to the receiving system (system02)

Create user on receiving system

The system that receives the files (system02) should have a user that will be used for the file transport. Typically this is a dedicated user for file transfers. For this example we call it backupuser. The user does not need a password, as we don’t want interactive logins.

adduser --disabled-password --shell /bin/bash --gecos "Backup user" backupuser

Generate the key

Using the ssh-keygen utility we can create a new key. In this example we will store the SSH keys in /data/ssh-keys and restrict access, so let’s create that path first.

mkdir -p /data/ssh-keys
chmod 700 /data/ssh-keys

Next step is the creating of the key.

ssh-keygen -t ed25519 -f /data/ssh-keys/backupuser-key -C "backupuser for system1"

The -t defines the type of key, in this case Ed25519. For modern versions of SSH this will be the default, but older systems might still use RSA. By defining the type we ensure that we have the right type.

Add entry to authorized_keys

On the receiving system (system02) we need to create a file .ssh/authorized_keys. Create the related paths and set the permissions.

cd /home/backupuser
mkdir .ssh
chmod 700 .ssh
touch authorized_keys
chmod 600 authorized_keys

Insight: SSH is very restrictive when it comes to file permissions. If they are too loose, the usage of SSH keys won’t work.

Set permissions

mkdir /data/backups/system01
chown backupuser:backupuser /data/backups/system01
chmod 750 /data/backups/system01

Copy the restricted rsync access to the authorized_keys

Within the authorized_keys file we now need to tell what command can be executed when we use a particular key.

command=“rsync –server -vlogDtprCze.iLsfx –delete . /data/backups/system01”,no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 AAAA…….. backupuser for system1

This line tells SSH that it should restrict access (e.g. no shell, no forwarding of anything related to the SSH agent or X11). It also defines what command is allowed, which is restricted to the rsync command.

Important is that we need to replace the last part, as that includes the public key and key comment. This part can be found on the sending system in /data/ssh-keys/backupuser-key.pub.

Initiate the synchronization

On system01 we will now run the action to start the copy.

rsync -e 'ssh -i rsync_key' --archive --cvs-exclude --checksum --compress --verbose --delete /path/to/files/to/backup backupuser@system02:/data/backups/system01

Tip: add the first time the –dry-run parameter so that you can see and test that everything should work as expected

If everything works as expected, the files should be synced now to the other system.

SSH security

Want to secure your SSH configuration even further? Perform a system audit with Lynis, including a configuration test of SSH.

Lynis is a battle-tested technical security audit tool. It is open source, freely available, and used by system administrators all over the world. Other users include IT auditors, security professionals, like pentesters.

Tool Information

Visit project page
Screenshot of Lynis security tool