We eliminated the need to use a password so we can write a script to use the above. But, we can still ssh using that key to do other things besides just rsync. Time to finally get to the topic of this post.

If the IP/hostname of the host you are backing up flyingmonkey from does not change, you can begin by adding that to the front of the ~bob/.ssh/authorized_keys entry for the flyingmonkey public key. //

Next step is specify which commands that can be run when connected using this key. And that one again will require playing with ~bob/.ssh/authorized_keys. This time we will specify the command:

from="192.168.42.24",command="/home/bob/.ssh/validate-rsync" ssh-rsa AAAAB3NzaC1yc2EAAAADAQlVk [...] se9ZDx backup-key

And define validate-rsync as

 cat > .ssh/validate-rsync << 'EOF'

 #!/bin/sh
 case "$SSH_ORIGINAL_COMMAND" in
     rsync\ --server\ --sender\ -vlogDtprze.iLsf\ .\ pickles)
         $SSH_ORIGINAL_COMMAND
         ;;
     *)
         echo "Permission denied: scripts/eiger "
         ;;
 esac
 EOF

 chmod +x .ssh/validate-rsync

And this is where it get really exciting. All that validate-rsync is doing is seeing if the command being sent is not only an rsync command but a specific one. Once we figure out how to get the proper SSH_ORIGINAL_COMMAND, we can change the line
rsync\ --server\ --sender\ -vlogDtprze.iLsf\ .\ pickles)
to what it needs to be to match our backup script and test. Note that if you change the rsync statement, you will need to change the case.