<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-text-flowed" style="font-family: -moz-fixed;
font-size: 14px;" lang="x-unicode">Hi,
<br>
<br>
Will rsync adopt Kerberos/GSSAPI integration? It would be really
good if we could establish password-less connections that adhere
to user permissions.
<br>
<br>
I am aware there is a patched version of rsync for this purpose,
but it seems to run a few versions behind the main releases. Are
there any plans to incorporate the work done there into the main
release? (see <a class="moz-txt-link-freetext"
href="http://jrds.fr/rsynck">http://jrds.fr/rsynck</a> for
patch)
<br>
<br>
At the moment, I am using the following script as a cron job:
<br>
<br>
--
<br>
#!/bin/bash
<br>
<br>
kinit -k -t /etc/rsync.keytab $1
<br>
rsync -aHAXxv --numeric-ids --delete --progress -e "ssh -p $2 -T
-c arcfour -o Compression=no -x" $3 $1@$4
<br>
kdestroy
<br>
--
<br>
<br>
Where a command might look like:
<br>
<br>
sudo ./myscript <principal> <port> <source>
<host@destination>
<br>
<br>
This works for the purposes of creating a Kerberized connection
over which the backup can take place, and will adhere to all user
access controls. The downsides are that the tunnel is encrypted
and is slow (terrabytes over gigabit ethernet takes a while), and
also requires that the principal's posixAccount have a valid
homeDirectory and loginShell to establish the ssh tunnel rather
than being a non-interactive service account.
<br>
<br>
It would be really good if we could use the rsync + rsyncd
approach with a connection that can pass user credentials through
using an established central security infrastructure.
<br>
<br>
Regards,
<br>
Rob.
<br>
</div>
</body>
</html>