Authenticating the rsync server

Martin Pool mbp at samba.org
Sun Nov 25 03:43:57 EST 2001 

On 24 Nov 2001, Philip Mak <pmak at aaanime.net> wrote:
> Scenario: I have a main website. I want to allow other people with web
> servers to use rsync to synchronize mirror copies of my website.
> 
> When the mirror website uses rsync to connect to the server, how can it be
> sure that the server is not an IP spoofing impostor that is serving up
> altered files?
> 
> >From what I've read in the rsync documentation, the rsync server doesn't
> seem to have a way of proving that it is the real server (e.g. by using
> public key cryptography).
> 
> So, if I wanted to authenticate the rsync server, then I would have to use
> rsync over ssh instead of running an rsync server over inetd, right?

Yes, this is probably the best way to go for now.

The rsyncd-over-ssh patch that was discussed a little while might help
you as well, but that means you'll have to patch all your clients.

You can look at the "pserver" chroot jail program available from
cvs.samba.org, which will help you lock the clients into a safe
directory.
 
> I should then put the ssh public key of the server on the website,
> available through https:// on my website. Someone who wants to setup a
> mirror can download the ssh public key via https://, install that in their
> ssh client, and then use ssh to connect to a shell account on my server to
> run rsync.
> 
> What about security, though? I would essentially be giving a shell account
> to anyone who wants to use it. This shell account would have to be
> restricted: It is CHROOTed in the file area, it cannot write to any of the
> files, and it can't run any program other than rsync. I'd guess I'd have
> to set this account to some special restricted shell that does this.

You can also look at the sshd function to restrict allowable commands.
The ssh "subsystem" feature might also be useful -- I haven't tried
it.
 
> Am I right about all of the above? If yes, does anyone know where I might
> start looking for such a special restricted shell program? If no, where
> did I go wrong (is there a simpler way to provide a relatively simple
> thing such as authentication of the rsync server)?

Alternatively you could GPG sign the files on the server.  If this
suits your situation, then it might give you better protection because
it also lets the end users check that the mirrors have not interfered
with the files or been spoofed.

  $ gpg --detach-sign linux-2.4.14.tar.gz

  $ gpg --verify linux-2.4.14.tar.gz.sig

--
Martin

More information about the rsync mailing list