Data Transfer Service (Anonymous SSH + Rsync)

Overview

The SCI Cluster Data Transfer Service provides SCI users with secure, controlled access to dedicated directories for sharing and receiving data to/from external users via rsync over SSH.

Each SCI user is assigned isolated directories with read-only and read–write permissions.
Access to external users is granted through restricted SSH keys that allow only rsync commands — no interactive shell access.

How It Works

  • External users connect via SSH using rsync.
  • Authentication is done with pre-approved SSH public keys.
  • Each key is restricted with options such as:
  • restrict → disables shell and forwarding
  • command="rsync --server --daemon ..." → enforces rsync-only access
  • expiry-time="YYYYMMDD" → automatically disables expired keys

The server runs rsync in daemon mode, using a per-user configuration file that defines their data paths.

Access Model

Each SCI user has two directories on the transfer server:

Directory Path Access Description
Read-only /lustre/<group>/WORK/anonsftp/transfer/<user>/ro Read Download-only area for the user
Read-write /lustre/<group>/WORK/anonsftp/transfer/<user>/rw Read & Write Upload area for incoming data

If you need to share additional directories (outside of these default paths), please contact support — administrators must explicitly configure these in your rsync configuration file.

Access Policy

Request Access

To use this service, the SCI user has to contact the SCI Support Team at
soporte.sci@unican.es

And provide:

  • SSH public key of the external user you want to give access
  • Desired expiry date (default: 6 months)

Upload and Download Examples

Once access has been granted, the external user can upload or download data using the following commands:

Upload data (read–write) example

rsync -avP --rsh=ssh ./data/ anonsftp@ui.sci.unican.es::<user>-rw

Download data (read-only) example

rsync -avP --rsh=ssh anonsftp@ui.sci.unican.es::<user>-ro ./downloads/

*why --rsh=ssh ?

Security Features

  • No interactive login — SSH access is strictly limited to rsync.
  • Per-user configuration — completely isolated directories.
  • Auto-expiring keys — access automatically revoked at expiry.
  • Detailed logs stored in:

/lustre/<group>/WORK/anonsftp/rsyncd_log/<user>.log

Key Expiry and Renewal

Your SSH key will automatically expire on the date defined in its metadata (expiry-time).

To renew contact support with the desired expiry date.

Support

If you encounter any issues (authentication errors, permission denied, etc.), please contact:

SCI Cluster Support
soporte.sci@unican.es