Today I will describe how to use rsync over ssh using four simple examples as it is very convinient way to perform secure and automated backup.

Use case #1

I will start with the simplest possible example which I will thoroughly describe.
Data will be copied from local to remote, any additional data on the remote side will be removed.

Create .ssh directory and set correct permissions.

local$ mkdir .ssh
local$ chown 700 .ssh

Generate authentication key on the local machine. This key will be used to securely transfer data.

local$ ssh-keygen -N "" -q -f .ssh/mirror_data
I deliberately generated authentication key without passphrase so it could be used inside shell script without user intervention.

Remember to set correct permissions on the recently generated private and public keys.

local$ chmod 600 .ssh/mirror_data .ssh/mirror_data.pub

Copy the public key to the remote machine.

local$ scp .ssh/mirror_data.pub mirror@remote:~/

Now you can authorize and secure provided key (allow to only execute specified command from local machine and disallow everything else).

remote$ echo 'command="rsync --server --delete -logDtpre.iLsf . ~/mirror",from="local",no-agent-forwarding,no-port-forwarding,no-user-rc,no-X11-forwarding,no-pty' $(cat mirror_data.pub) >> ~/.ssh/authorized_keys
remote$ chmod 644 ~/.ssh/authorized_keys
remote$ rm ~/mirror_data.pub
You can alternatively use ssh-copy-id command to copy public key, and then edit authorized_keys file by hand using your favorite text editor.

authorized_keys on the remote machine should be similar to the one displayed below.

remote$ cat  ~/.ssh/authorized_keys

command="rsync --server --delete -logDtpre.iLsf . ~/mirror",from="local",no-agent-forwarding,no-port-forwarding,no-user-rc,no-X11-forwarding,no-pty ssh-rsa AAAA...

To mirror data directory from the local to remote machine (remote mirror user, ~/mirror directory) using generated authentication key execute command:

local$ rsync -e "ssh -i ~/.ssh/mirror_data" --delete -a ~/data mirror@remote:.
You do not need to specify accurate remote directory as everything will be put in directory specified in the authorized_keys file.

I suppose that you are very curious about the command used in the authorized_keys file on the remote machine – to get it you need to use verbose ssh mode.

local$ rsync -e "ssh -v -i ~/.ssh/mirror_data" --delete -a ~/data mirror@remote:/xyz
[...]
debug1: Sending command: rsync --server --delete -logDtpre.iLsf . /xyz
[...]
Notice that you can only upload data, but not download it.
I will skip obvious parts below this point and focus only on the main commands.

Use case #2

Follow the previous procedure with just two exceptions to move data from local to remote, and delete source files afterwards. First exception can be found inside authorized_keys file, second is the command used to transfer data.

Look at the parameters in the authorized_keys file on the remote machine (data user).

remote$ cat  ~/.ssh/authorized_keys

command="rsync --server --remove-source-files -logDtpre.iLsf . ~/data_dir",from="local",no-agent-forwarding,no-port-forwarding,no-user-rc,no-X11-forwarding,no-pty ssh-rsa AAAA...

Use the following command to move data from the ~/local_dir/ to remote machine (data user, directory is defined above).

local$ rsync -e "ssh -i ~/.ssh/move_data" --remove-source-files -a ~/local_dir data@remote:.
Notice that you can only upload data, but not download it.

Use case #3

To download data from the remote machine (archive user, ~/data/ directory) use the following parameters in the authorized_keys file.

remote$ cat  ~/.ssh/authorized_keys

command="rsync --server --sender -vlogDtpre.iLsf ~/data .",from="local",no-agent-forwarding,no-port-forwarding,no-user-rc,no-X11-forwarding,no-pty ssh-rsa AAAA...

Execute the following command on the local machine to download data.

local$ rsync -e "ssh -i ~/.ssh/get_data" -a archive@remote:. .
Notice that you can only download data, but not upload it.

Use case #4

Use the rsync daemon mode over ssh to send data to the remote machine or receive it using single key.

remote$ cat  ~/.ssh/authorized_keys

command="rsync --config=/home/roadwarrior/rsyncd.conf --server --daemon .",from="local",no-agent-forwarding,no-port-forwarding,no-user-rc,no-X11-forwarding,no-pty ssh-rsa AAAA...

Basic rsync configuration file (which can be easily extended).

remote$ cat  ~/rsyncd.conf

[archive]
  path = /home/roadwarrior/archive
  comment = Archive
  uid = roadwarrior
  gid = roadwarrior
  read only = false
  use chroot = true
I am not using ~ (tilde character → home directory) shorthand command inside authorized_keys to define location of the configuration file, and inside rsyncd.conf file to specify module path.

Upload data to the archive module on the remote using roadwarrior user.

local$ rsync -e "ssh -i ~/.ssh/rsync_data" -a ~/data roadwarrior@remote::archive

Download data from the archive module on the remote using roadwarrior user.

local$ rsync -e "ssh -i ~/.ssh/rsync_data" -a roadwarrior@remote::archive ~/data
Notice that you can upload and download data using single key.