rsync over ssh, multiple private keys sharing same UID, chroot

Alan Barrett apb at cequrux.com
Wed Apr 7 08:16:28 EST 2010


On Tue, 06 Apr 2010, Alex Bligh wrote:
> I am thinking of configuring a service where multiple users have their
> own private keys to do rsync over ssh. I don't want each of these
> users to have their own UID. I want them each to share a UID, but
> to have space on the ssh server isolated from any other user.
> Let us assume that I also wish to prevent them from using any
> service other than rsync.

I'd probably trust rsync's daemon mode to keep the users separate, and
not bother with user-specific chroots at the ssh level.  Search for this
example in the rsync man page:

   rsync -av -e "ssh -l ssh-user" rsync-user at host::module /dest

The client users would all use the same "ssh-user" value, but different
"rsync-user" values (or you could omit the rsync-user part from the
command line, and let it default to whatever their local username is
on the client machine -- the rsync-user name won't be used by the
server-side configuration that I suggest below).

Make each each line of the ssh authorized_keys file contain a
command="..."  option that refers to a wrapper script that verifies
that $SSH_ORIGINAL_COMMAND looks like "rsync --server --daemon .",
and then execs "rsync --config=/path/to/user-specific/rsyncd.conf
--server --daemon .", with different ssh keys using different rsync
configurations.  Within each rsync daemon configuration file, specify
the module names that the user is allowed to access, the corresponding
directory names on the server, and whether they are read-only or
read-write.

--apb (Alan Barrett)


More information about the openssh-unix-dev mailing list