Rsync between two remotes via a control server without agent forwarding or key sharing?











up vote
1
down vote

favorite












I have a control server (CS) that has SSH access to many others (H1, H2, etc). I would like CS to be able to initiate a rsync transfer between any two H* servers without those hosts knowing how to directly connect to each other.



I've looked at local/reverse port forwarding, but it seems that is only useful when H1 and H2 cannot directly talk to each other on the network. H1 still needs an authorized key on H2 for it to work, which is something I want to avoid.



Agent forwarding reads like it has the drawback of allowing an untrusted H1 to use any of my keys to the other hosts. I don't want H1 to gain access to anything else, only H2 for the duration of the transfer.



Is there a way I can establish SSH connections from CS to H1 and from CS to H2, and then have rsync (on either CS or H1) communicate via those channels to H2 without requiring additional authentication? Something like a command tunnel that is preauthorized?










share|improve this question






















  • What software do the hosts run – all OpenSSH?
    – grawity
    Nov 16 at 8:13










  • Yes. OpenSSH on all servers, latest releases from CentOS and Ubuntu repos.
    – jimp
    Nov 16 at 18:09










  • Do you need rsync, or would scp work?
    – Gordon Davisson
    Nov 17 at 7:43










  • I’m actually using both. I would appreciate an answer for scp, so I don’t have to rewrite those commands, but I don’t think I can do without rsync because of its whole tree capabilities.
    – jimp
    Nov 17 at 15:03

















up vote
1
down vote

favorite












I have a control server (CS) that has SSH access to many others (H1, H2, etc). I would like CS to be able to initiate a rsync transfer between any two H* servers without those hosts knowing how to directly connect to each other.



I've looked at local/reverse port forwarding, but it seems that is only useful when H1 and H2 cannot directly talk to each other on the network. H1 still needs an authorized key on H2 for it to work, which is something I want to avoid.



Agent forwarding reads like it has the drawback of allowing an untrusted H1 to use any of my keys to the other hosts. I don't want H1 to gain access to anything else, only H2 for the duration of the transfer.



Is there a way I can establish SSH connections from CS to H1 and from CS to H2, and then have rsync (on either CS or H1) communicate via those channels to H2 without requiring additional authentication? Something like a command tunnel that is preauthorized?










share|improve this question






















  • What software do the hosts run – all OpenSSH?
    – grawity
    Nov 16 at 8:13










  • Yes. OpenSSH on all servers, latest releases from CentOS and Ubuntu repos.
    – jimp
    Nov 16 at 18:09










  • Do you need rsync, or would scp work?
    – Gordon Davisson
    Nov 17 at 7:43










  • I’m actually using both. I would appreciate an answer for scp, so I don’t have to rewrite those commands, but I don’t think I can do without rsync because of its whole tree capabilities.
    – jimp
    Nov 17 at 15:03















up vote
1
down vote

favorite









up vote
1
down vote

favorite











I have a control server (CS) that has SSH access to many others (H1, H2, etc). I would like CS to be able to initiate a rsync transfer between any two H* servers without those hosts knowing how to directly connect to each other.



I've looked at local/reverse port forwarding, but it seems that is only useful when H1 and H2 cannot directly talk to each other on the network. H1 still needs an authorized key on H2 for it to work, which is something I want to avoid.



Agent forwarding reads like it has the drawback of allowing an untrusted H1 to use any of my keys to the other hosts. I don't want H1 to gain access to anything else, only H2 for the duration of the transfer.



Is there a way I can establish SSH connections from CS to H1 and from CS to H2, and then have rsync (on either CS or H1) communicate via those channels to H2 without requiring additional authentication? Something like a command tunnel that is preauthorized?










share|improve this question













I have a control server (CS) that has SSH access to many others (H1, H2, etc). I would like CS to be able to initiate a rsync transfer between any two H* servers without those hosts knowing how to directly connect to each other.



I've looked at local/reverse port forwarding, but it seems that is only useful when H1 and H2 cannot directly talk to each other on the network. H1 still needs an authorized key on H2 for it to work, which is something I want to avoid.



Agent forwarding reads like it has the drawback of allowing an untrusted H1 to use any of my keys to the other hosts. I don't want H1 to gain access to anything else, only H2 for the duration of the transfer.



Is there a way I can establish SSH connections from CS to H1 and from CS to H2, and then have rsync (on either CS or H1) communicate via those channels to H2 without requiring additional authentication? Something like a command tunnel that is preauthorized?







ssh rsync forwarding






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 15 at 23:47









jimp

248212




248212












  • What software do the hosts run – all OpenSSH?
    – grawity
    Nov 16 at 8:13










  • Yes. OpenSSH on all servers, latest releases from CentOS and Ubuntu repos.
    – jimp
    Nov 16 at 18:09










  • Do you need rsync, or would scp work?
    – Gordon Davisson
    Nov 17 at 7:43










  • I’m actually using both. I would appreciate an answer for scp, so I don’t have to rewrite those commands, but I don’t think I can do without rsync because of its whole tree capabilities.
    – jimp
    Nov 17 at 15:03




















  • What software do the hosts run – all OpenSSH?
    – grawity
    Nov 16 at 8:13










  • Yes. OpenSSH on all servers, latest releases from CentOS and Ubuntu repos.
    – jimp
    Nov 16 at 18:09










  • Do you need rsync, or would scp work?
    – Gordon Davisson
    Nov 17 at 7:43










  • I’m actually using both. I would appreciate an answer for scp, so I don’t have to rewrite those commands, but I don’t think I can do without rsync because of its whole tree capabilities.
    – jimp
    Nov 17 at 15:03


















What software do the hosts run – all OpenSSH?
– grawity
Nov 16 at 8:13




What software do the hosts run – all OpenSSH?
– grawity
Nov 16 at 8:13












Yes. OpenSSH on all servers, latest releases from CentOS and Ubuntu repos.
– jimp
Nov 16 at 18:09




Yes. OpenSSH on all servers, latest releases from CentOS and Ubuntu repos.
– jimp
Nov 16 at 18:09












Do you need rsync, or would scp work?
– Gordon Davisson
Nov 17 at 7:43




Do you need rsync, or would scp work?
– Gordon Davisson
Nov 17 at 7:43












I’m actually using both. I would appreciate an answer for scp, so I don’t have to rewrite those commands, but I don’t think I can do without rsync because of its whole tree capabilities.
– jimp
Nov 17 at 15:03






I’m actually using both. I would appreciate an answer for scp, so I don’t have to rewrite those commands, but I don’t think I can do without rsync because of its whole tree capabilities.
– jimp
Nov 17 at 15:03

















active

oldest

votes











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375843%2frsync-between-two-remotes-via-a-control-server-without-agent-forwarding-or-key-s%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown






























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes
















 

draft saved


draft discarded



















































 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375843%2frsync-between-two-remotes-via-a-control-server-without-agent-forwarding-or-key-s%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Сан-Квентин

8-я гвардейская общевойсковая армия

Алькесар