Aw: Re: encrypted rsyncd - why was it never implemented?
Kevin Korb
kmk at sanitarium.net
Wed Dec 3 13:41:48 MST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yes, that would work but as you say it would only work for key
authentication and you would have to control the users'
authorized_keys files.
Also, that isn't the one that would require %h or %u. The alternative
would be something like:
command="/path/to/rrsync [-ro] /path/to/allow"
I actually use this myself for a couple of cron rsyncs. They use
special unencrypted keys that are only allowed to do these things.
On 12/03/2014 03:38 PM, Karl O. Pinc wrote:
> On 12/03/2014 01:37:58 PM, Kevin Korb wrote:
>> As far as a backup provider goes I wouldn't expect them to use
>> rsync over SSL unless that were built into rsync in the future
>> (and has been around long enough that most users would have it).
>>
>> I would expect them to either use rsync over ssh secured by
>> rrsync or rsyncd over ssh with them managing the rsyncd.conf
>> file. Either way the server side command would be forced and no
>> other ssh functionality would be allowed.
>
> <snip>
>
>> I am thinking of something like this with in sshd_config with
>> whichever ForceCommand they would pick:
>>
>> Match Group backupusers X11Forwarding no AllowTcpForwarding no
>> ForceCommand /usr/bin/rsync --server --daemon . ForceCommand
>> /usr/bin/rrsync-wrapper
>>
>> Note that a wrapper or modification would be needed for rrsync
>> since sshd_config doesn't support %u or %h in ForceCommand :(
>
> I am using command="rsync --server --daemon ." in
> ~/ssh/authorized_keys. Correct me if I'm wrong, but I believe this
> eliminates the need for %u or %h and ForceCommand.
>
> It does mean that key based authentication is required, but this
> does not seem burdensome for a backup oriented solution.
>
>
> Karl <kop at meme.com> Free Software: "You don't pay back, you pay
> forward." -- Robert A. Heinlein
>
- --
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
Kevin Korb Phone: (407) 252-6853
Systems Administrator Internet:
FutureQuest, Inc. Kevin at FutureQuest.net (work)
Orlando, Florida kmk at sanitarium.net (personal)
Web page: http://www.sanitarium.net/
PGP public key available on web site.
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlR/dYwACgkQVKC1jlbQAQeHSwCfSIsNMu9IVkgI4o9yYr53bNrQ
I7YAoJcV/B87lugWfkfNjRKkPOGA+hxq
=B4Db
-----END PGP SIGNATURE-----
More information about the rsync
mailing list