rsync is a very nice tool to synchronize two directories, especially if they are on different machines. If you require confidentiality of the transferred data, rsync works great over ssh.

Besides the standard password authentication, ssh also supports public key authentication. This key-based authentication has the added bonus of having per-key options:

  • you can restrict the source IP from which this key may be used
  • you can force a command to be executed instead of allowing the connecting side to specify one

Combining the power of these tools gives very fine grained control over the rsync process: you can create a “backup key” that only allows you to rsync from the server and only from a specified directory. Any other command besides rsync is rejected; rsync to the server or from another directory is also rejected. This script does it all, it’s part of the rsync package, but not installed by most distro’s. An example authorized_keys entry (with an abbreviated key):

command="/home/boss/niels/bin/ -ro /home" ssh-rsa AAAAB[...]fE+8QrME= 20090329 rsync key