There is an option in the SSHD configuration file for allowing root logins only with the command parameter set. This allows a client to login to the server as root if they have a key in root's authorized_keys, but only if that key has the "`command`" parameter set.
There is an option in the SSHD configuration file for allowing root logins only with the command parameter set. This allows a client to login to the server as root if they have a key in root's `authorized_keys`, but only if that key has the '`command`' directive set.
To activate this option, set the following option in`/etc/ssh/sshd_config`:
To activate this option, add the following option to`/etc/ssh/sshd_config`:
```
```
PermitRootLogin forced-commands-only
PermitRootLogin forced-commands-only
```
```
And don't forget to reload SSH daemon:
And don't forget to reload the SSH daemon:
```
```
sudo systemctl reload sshd
sudo systemctl reload sshd
```
```
@ -27,14 +27,14 @@ rrsync [-ro|-wo] SUBDIR
```
```
rrsync can be restricted to read-only mode by the `-ro` flag, or write-only mode by the `-wo` flag. The subdir argument sets the directory that rrsync is restricted to. Rrsync will not be allowed to read or write from anywhere other than that directory.
rrsync can be restricted to read-only mode by the `-ro` flag, or write-only mode by the `-wo` flag. The subdir argument sets the directory that rrsync is restricted to. Rrsync will not be allowed to read or write from anywhere other than that directory.
To add a command directive to an authorized key, simply include the directive '`command="my_command"`' in front of the rest of the key on that line in the authorized_keys file. For example, so add a key that is restricted to only being able to run rrsync in read-only mode on the directory `/foo`, you would add the following command directive in front of the key:
To add a command directive to an authorized key, simply include the directive '`command="my_command"`' in front of the rest of the key on that line in the `authorized_keys` file. For example, to add a key that is restricted to only being able to run rrsync in read-only mode on the directory `/foo`, you would add the following command directive in front of the key:
```
```
command="rrsync -ro /foo" <key>
command="rrsync -ro /foo" <key>
```
```
When a remote client attempts to use this key to run a command on the host, the `command` directive causes SSHD to ignore any commands sent by the client, and execute the actions specified in the `command` directive instead. Rrsync will then be able to parse your attempted rsync command, and execute it if it determines that it is an allowed action.
When a remote client attempts to use this key to run a command on the host, the `command` directive causes SSHD to ignore any commands sent by the client, and execute the actions specified in the `command` directive instead. Rrsync will then be able to parse your attempted rsync command, and execute it if it determines that it is an allowed action.
Note that any remote directories in the client's rsync command must be specified *relative to the subdirectory*specified in the `command` directive. For example, if a client wants to pull the contents of the directory `/foo/bar` on the server to the same directory on the client using the key from the example above, they would run the command:
Note that any remote directories in the client's rsync command must be specified *relative to the subdirectory*given in the `command` directive. For example, if a client wanted to pull the contents of the directory `/foo/bar` on the server to the same directory on the client using the key from the example above, they would run the command:
Mario Alegre
5 years ago