I often have to automatically trigger some server action from a remote machine, and I have used a password-less SSH key and a dedicated account on the server for this so far.

But it turns out that SSH can provide more security. In ~/.ssh/authorized_keys, you can specify options for every key. This not only allows you to turn off port forwarding, but also to specify a command which will replace the interactive shell, or the command passed to the SSH client.

This command can be a shell script which checks what the client wants to run and executes it if it looks OK, or it can start the rsync daemon.

So to automatically run rsync over SSH, create a password-less SSH key on the client, put the public key in ~/.ssh/authorized_keys on the server, and add the following at the start of the line. Do not include the line break, and put a space between this and the key string.

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,
command="rsync --server --daemon --config=/etc/rsyncd.conf ."
ssh-dss keydata user@example.com

In /etc/rsyncd.conf, list the directories the client may access. Because rsync will not be run by root, chroot would not work.

use chroot = no 
 
[backup] 
path = /var/backup 
read only = yes 

On the client, you then run rsync like below to fetch the latest backup files. Note the double colon between the host name and the module name. If needed, you could append a directory or file path after the module name.

rsync -e "ssh -i $HOME/.ssh/id_dsa-backup" \
  -a --delete server.example.com::backup/ /data/server-backup
    

Of course, it's still a good idea to use a dedicated account on the server for this.