Rsync between two remotes via a control server without agent forwarding or key sharing?











up vote
1
down vote

favorite












I have a control server (CS) that has SSH access to many others (H1, H2, etc). I would like CS to be able to initiate a rsync transfer between any two H* servers without those hosts knowing how to directly connect to each other.



I've looked at local/reverse port forwarding, but it seems that is only useful when H1 and H2 cannot directly talk to each other on the network. H1 still needs an authorized key on H2 for it to work, which is something I want to avoid.



Agent forwarding reads like it has the drawback of allowing an untrusted H1 to use any of my keys to the other hosts. I don't want H1 to gain access to anything else, only H2 for the duration of the transfer.



Is there a way I can establish SSH connections from CS to H1 and from CS to H2, and then have rsync (on either CS or H1) communicate via those channels to H2 without requiring additional authentication? Something like a command tunnel that is preauthorized?






ssh rsync forwarding







share|improve this question






















  • What software do the hosts run – all OpenSSH?
    – grawity
    Nov 16 at 8:13










  • Yes. OpenSSH on all servers, latest releases from CentOS and Ubuntu repos.
    – jimp
    Nov 16 at 18:09










  • Do you need rsync, or would scp work?
    – Gordon Davisson
    Nov 17 at 7:43










  • I’m actually using both. I would appreciate an answer for scp, so I don’t have to rewrite those commands, but I don’t think I can do without rsync because of its whole tree capabilities.
    – jimp
    Nov 17 at 15:03

















up vote
1
down vote

favorite












I have a control server (CS) that has SSH access to many others (H1, H2, etc). I would like CS to be able to initiate a rsync transfer between any two H* servers without those hosts knowing how to directly connect to each other.



I've looked at local/reverse port forwarding, but it seems that is only useful when H1 and H2 cannot directly talk to each other on the network. H1 still needs an authorized key on H2 for it to work, which is something I want to avoid.



Agent forwarding reads like it has the drawback of allowing an untrusted H1 to use any of my keys to the other hosts. I don't want H1 to gain access to anything else, only H2 for the duration of the transfer.



Is there a way I can establish SSH connections from CS to H1 and from CS to H2, and then have rsync (on either CS or H1) communicate via those channels to H2 without requiring additional authentication? Something like a command tunnel that is preauthorized?






ssh rsync forwarding







share|improve this question






















  • What software do the hosts run – all OpenSSH?
    – grawity
    Nov 16 at 8:13










  • Yes. OpenSSH on all servers, latest releases from CentOS and Ubuntu repos.
    – jimp
    Nov 16 at 18:09










  • Do you need rsync, or would scp work?
    – Gordon Davisson
    Nov 17 at 7:43










  • I’m actually using both. I would appreciate an answer for scp, so I don’t have to rewrite those commands, but I don’t think I can do without rsync because of its whole tree capabilities.
    – jimp
    Nov 17 at 15:03















up vote
1
down vote

favorite









up vote
1
down vote

favorite











I have a control server (CS) that has SSH access to many others (H1, H2, etc). I would like CS to be able to initiate a rsync transfer between any two H* servers without those hosts knowing how to directly connect to each other.



I've looked at local/reverse port forwarding, but it seems that is only useful when H1 and H2 cannot directly talk to each other on the network. H1 still needs an authorized key on H2 for it to work, which is something I want to avoid.



Agent forwarding reads like it has the drawback of allowing an untrusted H1 to use any of my keys to the other hosts. I don't want H1 to gain access to anything else, only H2 for the duration of the transfer.



Is there a way I can establish SSH connections from CS to H1 and from CS to H2, and then have rsync (on either CS or H1) communicate via those channels to H2 without requiring additional authentication? Something like a command tunnel that is preauthorized?






ssh rsync forwarding







share|improve this question













I have a control server (CS) that has SSH access to many others (H1, H2, etc). I would like CS to be able to initiate a rsync transfer between any two H* servers without those hosts knowing how to directly connect to each other.



I've looked at local/reverse port forwarding, but it seems that is only useful when H1 and H2 cannot directly talk to each other on the network. H1 still needs an authorized key on H2 for it to work, which is something I want to avoid.



Agent forwarding reads like it has the drawback of allowing an untrusted H1 to use any of my keys to the other hosts. I don't want H1 to gain access to anything else, only H2 for the duration of the transfer.



Is there a way I can establish SSH connections from CS to H1 and from CS to H2, and then have rsync (on either CS or H1) communicate via those channels to H2 without requiring additional authentication? Something like a command tunnel that is preauthorized?






ssh rsync forwarding




ssh rsync forwarding






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 15 at 23:47









jimp

248212




248212












  • What software do the hosts run – all OpenSSH?
    – grawity
    Nov 16 at 8:13










  • Yes. OpenSSH on all servers, latest releases from CentOS and Ubuntu repos.
    – jimp
    Nov 16 at 18:09










  • Do you need rsync, or would scp work?
    – Gordon Davisson
    Nov 17 at 7:43










  • I’m actually using both. I would appreciate an answer for scp, so I don’t have to rewrite those commands, but I don’t think I can do without rsync because of its whole tree capabilities.
    – jimp
    Nov 17 at 15:03




















  • What software do the hosts run – all OpenSSH?
    – grawity
    Nov 16 at 8:13










  • Yes. OpenSSH on all servers, latest releases from CentOS and Ubuntu repos.
    – jimp
    Nov 16 at 18:09










  • Do you need rsync, or would scp work?
    – Gordon Davisson
    Nov 17 at 7:43










  • I’m actually using both. I would appreciate an answer for scp, so I don’t have to rewrite those commands, but I don’t think I can do without rsync because of its whole tree capabilities.
    – jimp
    Nov 17 at 15:03


















What software do the hosts run – all OpenSSH?
– grawity
Nov 16 at 8:13




What software do the hosts run – all OpenSSH?
– grawity
Nov 16 at 8:13












Yes. OpenSSH on all servers, latest releases from CentOS and Ubuntu repos.
– jimp
Nov 16 at 18:09




Yes. OpenSSH on all servers, latest releases from CentOS and Ubuntu repos.
– jimp
Nov 16 at 18:09












Do you need rsync, or would scp work?
– Gordon Davisson
Nov 17 at 7:43




Do you need rsync, or would scp work?
– Gordon Davisson
Nov 17 at 7:43












I’m actually using both. I would appreciate an answer for scp, so I don’t have to rewrite those commands, but I don’t think I can do without rsync because of its whole tree capabilities.
– jimp
Nov 17 at 15:03






I’m actually using both. I would appreciate an answer for scp, so I don’t have to rewrite those commands, but I don’t think I can do without rsync because of its whole tree capabilities.
– jimp
Nov 17 at 15:03

















active

oldest

votes











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375843%2frsync-between-two-remotes-via-a-control-server-without-agent-forwarding-or-key-s%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown






























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes
















 

draft saved


draft discarded



















































 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375843%2frsync-between-two-remotes-via-a-control-server-without-agent-forwarding-or-key-s%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Сан-Квентин

Image
Сан-Квентин Местоположение Сан-Квентин, Калифорния Координаты 37°56′13″ с. ш. 122°29′20″ з. д. H G Я O L Текущий статус Действует Режим безопасности минимальный и максимальный Количество мест 3 302 Открытие Июнь 1852 Находится в ведомстве California Department of Corrections and Rehabilitation Начальник Mike Martel, начальник  Сан-Квентин на Викискладе Сан-Квентин (англ.  San Quentin ) — тюрьма, располагающаяся на 432 акрах (около 1,7 км²), на мысе Сан-Квентин, в округе Марин, штат Калифорния, США. Тюрьма штата Калифорния Сан-Квентин была открыта в июле 1852 года и является старейшей в штате. Она была построена заключёнными, которые проживали в течение строительства на тюремном судне Вабан. В Сан-Квентине отбывали наказание и мужчины, и женщины до 1934 года, когда построили женскую тюрьму в Техачапи и туда перевели всех заключённых женщин. В Сан-Квентине приводятся в исполнение смертные казни, для этого имеется газовая камера, но
Read more

Алькесар

Image
Муниципалитет Алькесар Alquézar Герб 42°10′16″ с. ш. 0°01′27″ в. д. H G Я O L Страна Испания   Испания Автономное сообщество Арагон Провинция Уэска Комарка Сомонтано-де-Барбастро Алькальд Хосе Марияно Альтемир Ласкорс (ИСРП) История и география Площадь 32,36 км² Высота НУМ 660 м Часовой пояс UTC+1, летом UTC+2 Население Население 313 человек ( 2010 ) Плотность 9,92 чел./км² Этнохороним alquezarano/-a Цифровые идентификаторы Телефонный код +34 974 Почтовые индексы 22112 Автомобильный код HU alquezar.org   (исп.) Показать/скрыть карты Алькесар Алькесар Алькесар  Аудио, фото и видео на Викискладе Алькесар (исп.  Alquézar ) — муниципалитет в Испании, входит в провинцию Уэска, в составе автономного сообщества Арагон. Муниципалитет находится в составе района (комарки) Сомонтано-де-Барбастро. Занимает площадь 32,36 км². Население — 321 челове
Read more

Josef Freinademetz

Image
San Ujöp (Giuseppe/Josef) Freinademetz Josef Freinademetz in abiti cinesi   Religioso e missionario   Nascita 15 aprile 1852 Morte 28 gennaio 1908 Venerato da Chiesa cattolica Beatificazione 1975 Canonizzazione 5 ottobre 2003 Ricorrenza 28 gennaio Manuale Ujöp Freinademetz noto anche come Giuseppe o Josef Freinademetz (Oies, 15 aprile 1852 – Taikia, 28 gennaio 1908) è stato un presbitero austriaco, membro della Società del Verbo Divino, fu missionario in Cina; è venerato come santo dalla Chiesa cattolica. .mw-parser-output .citazione-table{margin-bottom:.5em;font-size:95%}.mw-parser-output .citazione-table td{padding:0 1.2em 0 2.4em}.mw-parser-output .citazione-lang{vertical-align:top}.mw-parser-output .citazione-lang td{width:50%}.mw-parser-output .citazione-lang td:first-child{padding:0 0 0 2.4em}.mw-parser-output .citazione-lang td:nth-child(2){padding:0 1.2em} «Io amo la Cina e i cinesi; voglio morire in mezzo a loro, e tra loro
Read more