1. Install rssh
rssh to limit shell activity for users using the shell
sudo apt-get install rssh
Now edit the config file
/etc/rssh.conf to allow
allowscp allowrsync #allowsftp #allowcvs #allowrdist #allowsvnserve
NOTE: Since you are going through SSH, you don’t need to enable firewall rule for rsync.
# DO NOT RUN this: sudo ufw allow rsync # You can safely run this: $ sudo ufw delete allow rsync
2. Create a new group & user for publishing only
In this step we will create a new
publishers group and a new user
publisher1, whose sole responsibility is to rsync.
First, create a new user
publisher1 that is in charge of publishing on your Linux server:
sudo apt-get install rssh sudo useradd --home-dir /home/publisher1 --create-home --shell /usr/bin/rssh publisher1 sudo mkdir /home/publisher1/.ssh/ sudo touch /home/publisher1/.ssh/authorized_keys sudo addgroup publishers sudo usermod -aG publishers publisher1 sudo chown -R publisher1:publishers /home/publisher1/.ssh sudo chmod go-w /home/publisher1 sudo chmod 0700 /home/publisher1/.ssh sudo chmod 0644 /home/publisher1/.ssh/authorized_keys # chmod for private keys: 0600 # chmod for public keys: 0644
Note that the permission must be set as above or your will not be able to
Try to become
publisher1 and you won’t be able to:
$ sudo su publisher1 This account is restricted by rssh. This user is locked out. If you believe this is in error, please contact your system administrator.
3. Generate a key pair to publish
On your local machine:
ssh-keygen -t rsa -b 4096 -C "publish-only" -f ~/.ssh/publisher1
Now manually copy the content of the file
ssh -i ~/.ssh/publisher1 firstname.lastname@example.org
You should see the following tail:
This account is restricted by rssh. This user is locked out. If you believe this is in error, please contact your system administrator. Connection to code2.pro closed.
If you see the error
Permission denied(publickey) then you should follow the next step.
4. Allow publishers group to SSH
Note that many servers with restricted access do require you to successfully pass through SSH before doing rsync. This step is not obvious as some servers with lax security don’t require it.
Open the SSH config:
Find the line containing
AllowGroups and append the group
AllowGroups xxx yyy publishers
Save the file and reload SSH config (don’t restart):
$ sudo /etc/init.d/ssh reload [ ok ] Reloading ssh configuration (via systemctl): ssh.service.
If you see this message when trying to SSH, you did things correctly:
$ ssh -i ~/.ssh/publisher1 email@example.com This account is restricted by rssh. This user is locked out. If you believe this is in error, please contact your system administrator. Connection to code2.pro closed.
5. Set up SSH alias in config
Now edit the file
~/.ssh/config on your local machine:
# To publish Hugo posts Host blog01 HostName code2.pro User publisher1 IdentityFile ~/.ssh/publisher1
6. Now publish with SSH alias
Use the SSH alias
blog01 above to publish your Hugo blog:
rm -rf _dsite/* hugo -b 'https://code2.pro/' --canonifyURLs -d _dsite rsync -avz --partial --progress --delete _dsite/ blog01:~/blog-deep-thoughts/
Expect the output like this:
building file list ... 359 files to consider sent 7101 bytes received 20 bytes 4747.33 bytes/sec total size is 5654674 speedup is 794.08
7. Config web server
I will leave this to you. Just remember to set soft link or publish directly to the public dir:
cd /var/www/code2.pro sudo ln -s -f /home/publisher1/blog-deep-thoughts public
Congrats! Now you can safely publish your Hugo blog via
8. Remove the user
If you decided that such setting is not for you and you need to remove user created, use commands:
$ sudo deluser publisher1 $ sudo deluser --remove-home publisher1
On certain servers, account expiration is strictly set and your account could have expired:
Your account has expired; please contact your system administrator Permission denied (keyboard-interactive). rsync: connection unexpectedly closed (0 bytes received so far) [sender]
In that case you need to change expiration:
# List expiration information $ sudo chage -l publisher1 # Change expiration date to Jan 01, 2019 $ sudo usermod -e 2019-01-01 publisher1 # This will yield the same effect $ sudo chage -E 2019-01-01 publisher1 # You will need to set password expiry manually & interactively # Change expiration configuration interactively $ sudo chage publisher1
Should you need to refer to actual working setup, check: https://github.com/vietlq/vietlq.github.io/tree/source