Ever had to move data around on a regular basis? Say to copy statistics and such from machine to machine to a central location without having some hokie psuedo user with funked up permissions? Have you the same problem as I do? Every single time you want to do this you have to google: “ssh forced command keys” and hope that link 3 doesn’t change on you? Fear not… documentation below!

So, you need to copy a set of files on a regular basis from some host in the field to a central host (in this example atleast)? You can accomplish this with some simple ssh key login without a password! Oh, but that means your user will always use that key? No! That means your passphrase-less key could be abused to do other bad things? No! Forced command keys to the rescue!

Start by making a new key:


ssh-keygen -t dsa -f ~/.ssh/data-collection-key

copy the .pub version (~/.ssh/data-collection-key.pub) to centralserver:~/.ssh/authorized_keys. Then edit the key to include the command, originally the key was (all on one line of course):


ssh-dss asdkjasdkjasdlkj1kc3MAAACBALtvDKOs....... userid@creating-host

You’d want to add, as a start to find out what command you really need:


command="echo $SSH_ORIGINAL_COMMAND > /tmp/cmd” ssh-dss asdkjasdkjasdlkj1kc3MAAACBALtvDKOs....... userid@creating-host

Run your backup command:


~$ rsync -rapv -e “ssh -i /home/user/.ssh/data-collection-key” /home/user/scripts/health-monitor/graphs central-server:/file/path/destination

Check on the target machine for the /tmp/cmd file contents:


rsync --server -vlogDtpr . /file/path/destination

Copy the contents of this into your command="” key section:


command="rsync --server -vlogDtpr . /file/path/destination” ssh-dss asdkjasdkjasdlkj1kc3MAAACBALtvDKOs....... userid@creating-host

Test the key/process then automate! Sample ‘automation’ (crontab entry):


*/5 * * * * rsync -rapv -e “ssh -i /home/user/.ssh/data-collection-key” /home/user/scripts/health-monitor/graphs central-server:/file/path/destination

Simple enough eh? Now, why can’t I remember this?