[缘起]
七牛云存储生产环境里部署的机器越来越多,日常的二进制包分发和日志收集逐渐演变成大问题。
通过SSH远程登录后调用rsync实用工具上传或下载数据可以解决该问题,但会对登录key授权造成困扰:用于rsync的key同样能用于远程登录,将带来安全隐患。

如何解决这个问题呢?

[调查]
印象中,gitolite这个实用Perl软件可以通过SSH身份验证触发指定动作,以执行脚本进行授权git操作。 于是调查了一下,发现SSH的authorized_keys文件里可以为每一个key配上command,一旦验证身份成功就会强制调用该command,从而实现“不登录远程Shell即可执行特定脚本”。

该技巧非常爽,但有个缺点:配上command的key必须是唯一的,大量使用会导致authorized_keys里充斥过多条目。

以下内容摘自authorized_keys的man手册。

command="command"
    Specifies that the command is executed whenever this key is used for authentication.  The command supplied by the user (if any) is ignored.The command is run on a pty if the client requests a pty; otherwise it is run without a tty.  If an 8-bit clean channel is required, one must  not request a pty or should specify no-pty. A quote may be included in the command by quoting it with a backslash.  This option might be useful to restrict certain public keys to perform just a specific operation.  An example might be a key that permits remote backups but nothing else.  Note that the client may specify TCP and/or X11 forwarding unless they are explicitly prohibited.  The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable.  Note that this option applies to shell, command or subsystem execution.

[术语]
是不是可以把这一技巧简称为“SSH Trigger Action”?:)

[实践]
rsync的维护者特别编写了一个Perl脚本专门用于上述技巧,配合rsync的-e选项,实现出触发式同步数据功能。
工具名字也很好玩,叫rrsync

以下是在试验机上编写的SSH Trigger Action条目:

command="rrsync /tmp/try",from="192.168.0.119" ssh-rsa AAAA...