Rsync Over ssh Configuration in debian

What is Rsync ?

rsync is a file transfer program for Unix systems. rsync uses the "rsync algorithm" which provides a very fast method for bringing remote files into sync. It does this by sending just the differences in the files across the link, without requiring that both sets of files are present at one of the ends of the link beforehand.

Rsync features

can update whole directory trees and filesystems

optionally preserves symbolic links, hard links, file ownership, permissions, devices and times

requires no special privileges to install

internal pipelining reduces latency for multiple files

can use rsh, ssh or direct sockets as the transport

supports anonymous rsync which is ideal for mirroring

Download Rsync

Rsync Documentation

Rsync FAQ

Rsync Examples

Rsync Requirements


Installing Rsync in debian

#apt-get install rsync

Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
  rsync (2.6.4-6)
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 203kB of archives.
After unpacking 373kB of additional disk space will be used.
Get:1 stable/main rsync 2.6.4-6 [203kB]
Fetched 203kB in 0s (340kB/s)
Selecting previously deselected package rsync.
(Reading database ... 34227 files and directories currently installed.)
Unpacking rsync (from .../rsync_2.6.4-6_i386.deb) ...
Setting up rsync (2.6.4-6) ...
rsync daemon not enabled in /etc/default/rsync

After installing rsync you need to enable rsync in this file /etc/default/rsync,edit this file and you need to change the line following line




and now you need to restart the rsync daemon using the following command

#/etc/init.d/rsync restart

If you want to install ssh in debian you need to click here

After installing rsync and ssh we need to create key for the user who will be doing the backup on the source machine i will use root

# ssh-keygen -t rsa

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/
The key fingerprint is:
cb:17:d8:17:b3:ff:9f:b5:a1:c6:1c:cb:4f:ba:5e:7f [email protected]

when asked where to store it, put it in the default (ie, /root/.ssh/id_rsa) when asked for a password, just press enter (ie, no password). Note, this is a security hole do it again the second time.

and now we have a key with no password in the two files mentioned above. Make sure that no other unauthorized user can read the private key file (the one without the '.pub' extension).

This key serves no purpose until we put the public portion into the 'authorized_keys' file on remotehost, specifically the one for remoteuser

Now, go into /root/.ssh and copy the file to the target machine. Put it in the file ~/.ssh/authorized_keys (create it if necessary)

use scp to get the file over to target machine

# scp ~/.ssh/ [email protected]


#ssh-copy-id -i ~/.ssh/ [email protected]

Now, try to ssh to that machine again. If you did it correctly, it will automatically log you in this time. Note: If you are root on the source machine (so you can access all files), you do not have to be root on the target machine, you can put the "authorized_keys" file in a user's account. In that case, you would ssh by doing an ssh [email protected] and it will still log in.

Now, on the source machine, try to run the rsync command. Here is one of my commands, the one that backs up /etc. Note I am using the long format so I can see what I'm doing later, instead of a lot of single character flags.


echo backupstarted

/usr/bin/rsync --compress --verbose --rsh=ssh --times --owner --group --ignore-times --links  --perms

                    --recursive --size-only --delete --force --numeric-ids --exclude-from=/etc/rsync.exclude \

                     --stats   /etc  [email protected]_machine:/home/backup/thismachine/

echo backupended

This will backup everything from /etc into /home/backup/thismachine/etc on targetmachine, as user root. Adding --list-only will simply show you the list of files to be copied instead of actually copying the files, which is good for testing.

Note, the source definition of /ect DOES NOT HAVE A TRAILING /. This must be the case. It is a weird thing about rsync. Basically, if you do put a trailing slash, the contents of /etc are copied to the target. If you do not, the directory /etc and its contents are copied, ie it will create the directory /etc on the target machine.

This is only sample script and sample rsync options if you want to know more rsync options check rsync man page

Once this is working, create a script to be run that will do the backups. I call mine "" because I have no imagination, and I put it in /root/bin. You must secure the script, ie it must be read/write/executeable only by root. It is a dangerous script.

You need to run this script daily for your backups for this you need to schedule this using cron

Now, to secure the site down. First, if you do not have physical access to the target machine, make one ssh connection to it and do not let that connection go. These next commands run the possibility of locking the account out.

On the target machine, log in (a different login, leave the above safety ssh session alone) and create one file. I put it in /root, and make it read/write/execute only by root.

beginning of script


echo $SSH_ORIGINAL_COMMAND >> /root/ssh.log

               echo "Rejected"
               echo "Rejected"
       rsync\ --server\ -vlogtprIz\ --delete\ --force\ --size-only\ --numeric-ids\ .\ /home/backup/thismachine/*)
               echo "Rejected"

end of script
This script is the one that will validate the automatic connection is only doing what it is supposed to.

The first line, echo $SSH_ORIGINAL_COMMAND >> /root/ssh.log, echos the command to the file /root/ssh.log, which not only tells you what is going on, but allows you to troubleshoot

The lines
               echo "Rejected"
               echo "Rejected"

reject any commands with an ampersand (&) and a semi-colon (;) in them.

The third line does a grep comparison with the command coming in to see if it is the correct one. I found this by running the command on the source machine, then looking at the ssh.log on the target machine.

The final line says "reject anything else"

Since I have three separate commands I execute on my backup, I actually have three different rsync commands I allow in on this line.

Now, go into the .ssh directory and open the authorized_keys file. Find the line that has the key for your source machine. It will look something like this:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwWMo+ayeUWMf (whole bunch of other stuff follows. Yours will be different)

Add the following to the beginning of the line


(there must be a space). The line now looks like:

command="/root/validate_rsync", ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwWMo+ayeUWMf (whole bunch of other stuff follows. Yours will be different)

This tells the ssh program to allow a login using this key, but only allow a single command to be given (no interactive shell) and validate the command using /root/validate_rsync

Now, from the source machine, try running the rsync command. It should work. DO NOT log out of the other shell above unless you have physical access to the machine.

Finally, for increased security, if you are using root on the target machine, do the following:

edit /etc/ssh/sshd_config. Find the line that reads "PermitRootLogin" and edit it as follows:

PermitRootLogin forced-commands-only

This means that root can not log in interactively (a good policy in the first place). I also set

PermitRootLogin no

on all my other machines.

This is oneway of getting rsync working and there is anotherway using rsync using rsyncd.conf file

If you want Rsync web interface or GUI tools click here