Five years ago I wrote about how to do rsync as root on both sides. That solution required using ssh-askpass which in turn requires X forwarding.
The main complication here is that sudo on the remote side is going to ask for a password, which either requires an interactive terminal or a forwarded X session.
I thought I would mention that if you’ve disabled
tty_tickets in the sudo configuration then you can “prime” the sudo authentication with some harmless command and then do the real rsync without it asking for a sudo password:
local$ ssh -t firstname.lastname@example.org sudo whoami [sudo] password for you: root local$ sudo rsync --rsync-path="sudo rsync" -av --delete \ email@example.com:/etc/secret/ /etc/secret/
This suggestion was already supplied as a comment on the earlier post five years ago, but I keep forgetting it.
I suggest this is only for ad hoc commands and not for automation. For automation you need to find a way to make sudo not ever ask for a password, and some would say to add configuration to sudo with a
NOPASSWD directive to accomplish that.
I would instead suggest allowing a root login by ssh using a public key that is only for the specific purpose, as you can lock it down to only ever be able to execute that one script/program.
Also bear in mind that if you permanently allow “host A” to run rsync as root with unrestricted parameters on “host B” then a compromise of “host A” is also a compromise of “host B”, as full write access to filesystem is granted. Whereas if you only allow “host A” to run a specific script/program on “host B” then you’ve a better chance of things being contained.