Let’s you want to set up an automatic rsync over ssh to a remote server, but you want to do it in a secure way.

Using rsync over ssh is a convenient way to have all of the power of rsync for synchronizing files, comparing differences, doing backups, without having to set up an rsync server.

Here is an example of using rsync in this manner, which will make the destination match the source exactly:

 rsync -a --delete -e "ssh" SOURCE DESTINATION 

The problem is this won’t be automatic because ssh will prompt you for your ssh username and password. That means you can’t use rsync in a script, such as a cron job. To get around this, you can set up an ssh key and copy that to the remote server. To do this, you have to set up an ssh key and copy it to the remote server. This is done by running ssh-keygen, and then leaving the passphrase field empty when it prompts you:

username@local-server:~$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
The key fingerprint is:
bc:ff:a0:c6:f3:33:36:c2:3a:9b:19:20:22:a4:a1:f8 username@local-server
The key's randomart image is:

Then you normally copy the contents of the /home/username/.ssh/id_rsa.pub file to the /home/username/.ssh/authorized_keys file on the remote server you want your rsync to be able to access.

You can test this by then using ssh with your new key:

 ssh username@remote -i /home/username/.ssh/id_rsa

If that works, your ssh key is working. (If you leave off the -i PATH_TO_KEY option, it will work if the key is named with the defaults).

This method works fine, except it isn’t secure. If anyone gets ahold of your private key, they will also have full access to your account on the remote server without any password required. To make it more secure, you can take advantage of the ssh feature that limits you to one command.

The best way to do this, is to find out exactly what command rsync runs on the remote server when it runs. To do this, run your rsync with -vv, turning on very verbose mode:

 rsync -a -vv --delete -e "ssh -i /home/USERNAME/.ssh/rsync_id_rsa" SOURCE DESTINATION 

Then look at the first line rsync returns. It should be something like:

opening connection using: ssh -p 4022 -l username remote-server rsync --server --sender -vvlogDtpre.iLsf . /var/www

What you are interested in, is the rsync command and everything after it. In this case:

rsync --server --sender -vvlogDtpre.iLsf . /var/www

On the remote server, find the line where you copied your ssh key in the /home/username/.ssh/authorized_keys file and prepend this specific command to it in the “command” section. For good measure, you can include other security features. Here is an example:

command="rsync --server --sender -vvlogDtpre.iLsf . /var/www",no-port-forwarding,no-pty,no-agent-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDs/DqwIOWrf6K8yUPOMx22jx2vDTnXa9HvAobK1gw5I0Dx/z/HJdr7s2Iopcb7kdEBRJ9xQKWvc6lvdtdxDmSXc7a5WWjV9/2IaZGpJC0GDw79 username@local-server

Keep in mind that the whole thing needs to be on one line, or if you need to put it on more than one line, use the \ character at the end of each line.

That will make so only that specific rsync command can run, thereby securing your rsync connection.