Troubleshooting Rsync Daemon Mode Over SSH: Fixing “connection unexpectedly closed” Error


2 views

When attempting to use rsync in daemon-over-SSH mode with restricted access, many developers encounter the frustrating "connection unexpectedly closed" error. Here's the complete technical breakdown of why this occurs and how to properly implement this secure configuration.

The correct syntax for rsync daemon mode via SSH should use a single colon (:) rather than double colons (::), since double colons indicate direct daemon mode connection. The proper command structure should be:

rsync -av -e ssh remotehost:/module/path /local/path

Your rsyncd.conf should be placed in /etc/ by default, not in the user's home directory. Here's the proper setup:

# /etc/rsyncd.conf
[root]
    path = /
    read only = true
    uid = root
    gid = root
    use chroot = yes

To properly restrict access via authorized_keys, you need to specify the full path to rsync and use the --config option:

# ~/.ssh/authorized_keys
command="/usr/bin/rsync --server --daemon --config=/etc/rsyncd.conf ." ssh-rsa AAAAB3Nza...
  1. Verify rsync is in PATH for the SSH user
  2. Check permissions on /etc/rsyncd.conf (should be 600)
  3. Ensure rsyncd is running on the remote host
  4. Test connectivity with verbose flags:
rsync -vvvv -e ssh remotehost::root/etc/passwd .

For even tighter security, consider using rrsync (restricted rsync) which comes with rsync:

command="/usr/share/rsync/scripts/rrsync -ro /allowed/path" ssh-rsa AAAAB3Nza...

This provides better security than the daemon approach while maintaining simplicity.

Here's the complete working configuration:

# Remote server /etc/rsyncd.conf
[backup]
    path = /allowed/backup/path
    read only = yes
    list = no

# Local machine command
rsync -avz -e ssh remotehost:backup/ /local/backup/

When attempting to use rsync in daemon-over-ssh mode, many administrators encounter the frustrating "rsync: connection unexpectedly closed" error. This typically occurs when trying to combine the security of SSH with the flexibility of rsync's daemon configuration.

The standard approach involves creating an rsyncd.conf file in the user's home directory (in this case, root's home):

[root]
path = /
read only = true

The error often stems from incorrect command syntax. The following attempt will fail:

rsync -vv -e ssh myserver::root/etc/passwd .

Instead, use this working version:

rsync -avz -e ssh --rsync-path="rsync --daemon --config=/root/rsyncd.conf" root@myserver::root/etc/passwd .

Three key elements must align:

  1. The rsyncd.conf file must be readable by the user initiating the connection
  2. The path specified must exist and have correct permissions
  3. The module name (in this case "root") must match the configuration

For enhanced security, add this to your ~/.ssh/authorized_keys:

command="rsync --server --daemon --config=/root/rsyncd.conf" ssh-rsa AAAAB3...keydata

When facing connection issues:

# Check rsync daemon logs:
journalctl -u rsync

# Verify SSH connectivity:
ssh -v root@myserver rsync --server --daemon .

# Test configuration syntax:
rsync --daemon --config=/root/rsyncd.conf --no-detach --verbose

For more complex setups, consider using a dedicated configuration file:

# /etc/rsyncd.d/root.conf
[root]
    path = /
    comment = Root filesystem
    use chroot = yes
    read only = yes
    list = no
    auth users = root
    secrets file = /etc/rsyncd.secrets