Hardening authorized_keys used in rsync backup

Question

• I'm trying to make a rootfs backup from ServerA on to ServerB.
• The connection is one way and is initialized from ServerB using rsnapshot.
• I have made a backup account on ServerA and enabled paswordless sudo only for rsync

What I'm trying to accomplish:

• Change the authorized_keys file on ServerA, so only the rsync command can be used via ssh.

 

On ServerB - /etc/rsnapshot.conf is setup to run rsync with the following args:

• rsync_long_args --rsync-path="sudo rsync" --delete --numeric-ids --relative --delete-excluded

 

I have tried the following on ServerA:

• from="ServerB",command="sudo rsync *" ssh-ed25519 SSH-KEY

But rsnapshot keeps crashing and giving IO error codes for rsync.

What am I missing here?

Answer 1

!! Problem Solved !!

Found out about rrsync --- /usr/share/doc/rsync/scripts/rrsync, copy it to wherever.

• ServerA:authorized_keys --- command="sudo /usr/local/bin/rrsync -ro /backup"

Since I'm keeping a copy of the backups on ServerA, I might as well rsync from them instead of using rsnapshot on ServerB. (This was my initial idea, but it doesn't work since there are duplicate files because of links that rsnapshot creates, I ended up having rsnapshot running both on ServerA and ServerB, to save backups from ServerA to a localDir on ServerA and also make remote snapshots from ServerA to ServerB.)

• Also changed the sudoers file on ServerA:

Defaults!/usr/local/bin/rrsync env_keep += "SSH_ORIGINAL_COMMAND"
backup ALL = (root) NOPASSWD: /usr/local/bin/rrsync

• rsync -ax --delete --numeric-ids --relative ServerA:/ /ServerB-backup/

Now works as expected.

Note that the path on ServerA in the command above is relative to the rule set in authorized_keys.