This document describes the procedure to set up CA sync between two Zentyal servers. We will use for this rsync being run in a cron job.
\nWe will use root in the side that starts the connection (provided script will be run by cron) and ebox for the side that receives it. We could use any other user, but using user ebox avoid having to create extra unneeded configurations. For the sake of the example we’ll be referring to two servers here:<\/p>\n
In order to better understand the procedure we must keep in mind that:
\nZentyal CA files are stored on \/var\/lib\/zentyal\/CA
\nThis folder has these permissions:<\/p>\n
drwx r-x --x 9 ebox ebox<\/pre>\nebox user has as his home the folder \/var\/lib\/zentyal\/<\/p>\n
sudo apt-get install rsync<\/pre>\n
if [ ! -f \/root\/.ssh\/id_rsa.pub ] ; then \/usr\/bin\/ssh-keygen" ; else echo "Key Already exists" ; fi<\/pre>\n<\/p>\n
sudo mkdir -p \/var\/lib\/zentyal\/.ssh\/\r\nsudo touch \/var\/lib\/zentyal\/.ssh\/authorized_keys<\/pre>\n
sudo chown -R ebox.ebox \/var\/lib\/zentyal\/.ssh\/<\/pre>\n
sudo ssh ebox@SERVER-A-IP<\/pre>\n
1. Limit connections from IP:<\/p>\n
To do so edit in SERVER A \/var\/lib\/zentyal\/.ssh\/authorized_keys, and add prior to the ssh-rsa this:<\/p>\n
from="SERVER-B-IP" ssh-rsa dasghgdgh+RqUVx5wzgnaMxH2Km5KRx0Wzvsa5YvxjwERVVXs2mUEes5mDpoDMX9pUAwKqPCS5C\r\nLyDwI+t0xNmVzPzeZjhypIfvBmgaG7pBNx7Zted7C+fha1X3SUmT4TguLzy7pfWbG7CKr2XkkFUYUOdUniYc99NsIxY1\/51+\/jjhfg\r\njhfg\/Pr5jqH+jhfjfgj\/jhfgjh+9kErROS1z root@hostname<\/pre>\n2.\u00a0 Ensuring that only rsync is used for this ssh connection:
\nTo do so edit in SERVER A \/var\/lib\/zentyal\/.ssh\/authorized_keys, and add prior to the ssh-rsa this:<\/p>\ncommand="\/usr\/share\/bin\/check_command.sh\u201d ssh-rsa fdasghgdgh+RqUVx5wzgnaMxH2Km5KRx0Wzvsa5YvxjwERV\r\nVXs2mUEes5mDpoDMX9pUAwKqPCS5CLyDwI+t0xNmVzPzeZjhypIfvBmgaG7pBNx7Zted7C+fha1X3SUmT4TguLzy7pfWbG7CKr\r\n2XkkFUYUOdUniYc99NsIxY1\/51+\/jjhfgjhfg\/Pr5jqH+jhfjfgj\/jhfgjh+9kErROS1z root@hostname<\/pre>\nNow, you must add the script it mentions this line (script taken from http:\/\/troy.jdmz.net\/rsync\/index.html)<\/p>\n
#!\/bin\/sh\r\n\r\ncase "$SSH_ORIGINAL_COMMAND" in\r\n*\\&*)\r\necho "Rejected"\r\n;;\r\n*\\(*)\r\necho "Rejected"\r\n;;\r\n*\\{*)\r\necho "Rejected"\r\n;;\r\n*\\;*)\r\necho "Rejected"\r\n;;\r\n*\\<*)\r\necho "Rejected"\r\n;;\r\n*\\`*)\r\necho "Rejected"\r\n;;\r\n*\\|*)\r\necho "Rejected"\r\n;;\r\nrsync\\ --server*)\r\n$SSH_ORIGINAL_COMMAND\r\n;;\r\n*)\r\necho "Rejected"\r\n;;\r\nesac<\/pre>\nIf you use both, separate them with a \u201c,\u201d:<\/p>\n
from="SERVER-B-IP",command="\/usr\/share\/bin\/check_command.sh\u201d ssh-rsa fdasghgdgh+RqUVx5wzgnaMxH2Km5KRx0Wzvsa5Y\r\nvxjwERVVXs2mUEes5mDpoDMX9pUAwKqPCS5CLyDwI+t0xNmVzPzeZjhypIfvBmgaG7pBNx7Zted7C+fha1X3SUmT4TguLzy7pfWbG7CKr2Xkk\r\nFUYUOdUniYc99NsIxY1\/51+\/jjhfgjhfg\/Pr5jqH+jhfjfgj\/jhfgjh+9kErROS1z root@hostname<\/pre>\n<\/p>\n
mkdir \/var\/local\/rsync-ca\r\nchmod 754 \/var\/local\/rsync-ca<\/pre>\n<\/p>\n
chmod 740 \/var\/local\/sync-ca\/rsync-ca<\/pre>\n<\/p>\n
#!\/bin\/bash\r\nRSYNC=\/usr\/bin\/rsync\r\nSSH=\/usr\/bin\/ssh\r\nKEY=\/root\/.ssh\/id_rsa\r\nRUSER=ebox\r\nRHOST=SERVER-A-IP\r\nRPATH=\/var\/lib\/zentyal\/CA\r\nLPATH=\/var\/lib\/zentyal\/\r\n$RSYNC -az -e "$SSH -i $KEY" $RUSER@$RHOST:$RPATH $LPATH<\/pre>\n<\/p>\n
<\/p>\n
# \/etc\/cron.d\/rsync-ca - Runs the script that syncs CA with SERVERA daily\r\n\r\nSHELL=\/bin\/sh\r\nPATH=\/usr\/bin:\/bin\r\n\r\n# Log data for report hourly\r\n@daily root \/var\/local\/rsync-ca\/rsync-ca<\/pre>\n","protected":false},"excerpt":{"rendered":"This document describes the procedure to set up CA sync between two Zentyal servers. We will use for this rsync being run in a cron job. We will use root in the side that starts the connection (provided script will…<\/p>\n