rsync and kerberos
Simo Sorce
ssorce at redhat.com
Fri Aug 22 17:24:51 GMT 2008
On Fri, 2008-08-22 at 17:57 +0200, Bacchella Fabrice wrote:
> I would like to use gssapi authentication in rsync. GSSAPI is the
> standard way to use kerberos.
>
> My idea is not too have a full pam implementation, juste a different
> way to authenticate users than the secret file and md4 challenge.
>
> I made a little experiment and it worked well.
>
> What I've done is changing the challenge command. Instead of sending
> @RSYNCD: AUTHREQD <challenge>, it just send "@RSYNCD: GSSAPI. Then
> gssapi bytes are exchanged and the user principal is returned instead
> of the rsync login. So the changes are small.
>
> Before submiting a full patch, I seek advice, do you think it's a good
> way to do that ? Some configuration files needes to be changed, the
> protocol must be changed, is there some best practice about that ?
>
> Any help and advice is welcome.
If you can use ssh then use ssh+GSSAPI auth and you will have to change
nothing.
But kerberizing the protocol itself is a *very* good idea, especially if
you use also use singing and sealing using GSSAPI.
I very much look forward any patch in this area, and I hope other rsync
developers can help you to chape them down so that they can rapidly be
accepted upstream.
I'd be happy also to test patches when they are ready if you post them
somewhere.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the rsync
mailing list