backup using rsync – part 2

Here we are going to use a cool ssh feature where you can allow a client to run a specific command, even if this client doesn’t have a local user account. rsync guys provide a script to allow for more flexibility: rrsync.


On the client

in ~/.ssh generate a new key for rsync with no password.

ssh-keygen -t ed25519 -f id_ed25519_yournameofchoice_rsync
  • -t: to specify the type of key to create
  • -f: to specify the file name

Then you send your the public key (that you can find in ~/.ssh/ to the server side guy.

the key should look a bit like that:

yoursuperlongpublickeythattheclientprovidedyouwith/dhkjhZlkh1 username@computername.local

On the server

This could be done with using ssh functionalities only, however, it would mean that there would be no flexibility at all as the command allowed to be run will be hard-configured. rsync guys provide a script – rrsync- to allow for a bit more flexibility and ease of configuration.
On a Ubuntu or Raspbian distro, enable rrsync by running:
cd /usr/share/doc/rsync/scripts/
sudo gunzip rrsync.gz
sudo chmod 755 rrsync
sudo cp rrsync /usr/local/bin/
Then edit ~/.ssh/authorized_keys and add the command you want to allow to be run
command="/usr/local/bin/rrsync -ro /media/username/5TB/myfiles",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 yoursuperlongpublickeythattheclient providedyouwith/dhkjhZlkh1 username@computername.local
This line will authorise the client public key to only run rrsync with only the folder you specified and with read-only mode. What it does it to allow the ssh key validated connection to invoke rsync program on the server’s end with predefined folder access – then both rsync can talk to each other but the client can only ask your  files from /media/username/5TB/myfiles

Running it

Using a similar command to what we saw in part 1 we can start testing.

rsync -e "ssh -i /home/username/.ssh/id_ed25519_yourfilename_rsync" -avP --append-verify --verbose --timeout=60 --progress --stats serverusername@ip-address:Folder/subfolder /home/username/Downloads
  • -i where your private key is located
  • serverusername@ip-address:Folder/subfolder
    • serverusername: the username on the server that allows you to run the command
    • ip-address: the FQDN or IP address of the remote server.
    • Folder/subfolder. if you leave it empty it will download/sync all files in the directory specified in authorized_keys on the server. However, say you want to sync only a subfolder on the server, say you want only /media/username/5TB/myfiles/Music. You would just have to use serverusername@ip-address:Music
    • /home/username/Downloads: specify the directory on the client where the files will be downloaded.

Then you can add it to your crontab using flock trick as described in part 1 if you wish so. Note that the rsync commands provided are just examples. At some point, after playing around/testing for a couple of weeks,  I will write a conclusion where I’ll show which command I am using and explain my choices.


Being tested right now. I will edit the post when done, but so far so good.

Leave a Reply

Your email address will not be published. Required fields are marked *