Question on encryption

tim.conway at philips.com tim.conway at philips.com
Fri Dec 21 08:53:55 EST 2001 

You've hit on just what rsyncd is best for.  It's not particularly secure, 
as it uses plaintext (default null) passwords, so someone working for your 
ISP could sniff your password.  the modules (sections of the filesystem 
tree you expose via rsyncd) are, by default, accessed in a chroot() 
environment, so even if someone gets in, all they see is what they would 
see sniffing your transfer, though it's more convenient.
By default, the connection is readonly, so the only trouble they could 
cause you would network and disk load from reading your modules.
Tridge wrote rsync specifically to mirror publically-available directory 
trees.

Tim Conway
tim.conway at philips.com
303.682.4917
Philips Semiconductor - Longmont TC
1880 Industrial Circle, Suite D
Longmont, CO 80501
Available via SameTime Connect within Philips, n9hmg on AIM
perl -e 'print pack(nnnnnnnnnnnn, 
19061,29556,8289,28271,29800,25970,8304,25970,27680,26721,25451,25970), 
".\n" '
"There are some who call me.... Tim?"




"George Sinclair" <George.Sinclair at noaa.gov>
Sent by: rsync-admin at lists.samba.org
12/20/2001 02:21 PM
Please respond to george.sinclair

 
        To:     rsync at samba.org
        cc:     (bcc: Tim Conway/LMT/SC/PHILIPS)
        Subject:        Question on encryption
        Classification: 



I am not currently subscribed so please email me below.

First, my only experience with rsync has been older versions (e.g.
1.7.x) which did not allow daemon mode, so please bear with me.

My problem is that I would like to mirror large quantities of data on a
remote machine to a local one, but I don't care about encrypting the
data itself. I only care about securing the connection from the
authentication point of view. Okay, I must admit that I like SSH because
it protects the end user from a variety of attacks, but what I'm saying
is that I don't care if people look at the data. Typically, this
mirroring has been done using just the local client's rsync program in
conjunction with ssh (both on the client and sshd on the remote
machine):

rsync --delete --rsh ssh --rsync-path /path_to_rsync/rsync -rlpt
sourcedir remote_host/target_dir/

The problem, however, is that due to the large size of the data, and the
slowness typically suffered under encryption, the remote machine crawls
to a halt or is seriously impaired. Working with small numbers of files
or infrequent mirrors, the encryption is not a problem, but it gets to
be a burden when you're doing this every night on a lot of data. Some
have suggested using something like 'blowfish -c' instead of the default
to speed things up by perhaps a factor of 3. Anyway, here is my
question:

Does running rsync in daemon mode on the remote host preclude the need
to use SSH from the client? If so, how secure is this versus using rsync
in non daemon mode with SSH? I have considered building SSH to not use
encryption, but I was thinking rsync in daemon mode might obviate the
need to have to use SSH if it can still be made secure.

Thanks.

George Sinclair | george.sinclair at noaa.gov

More information about the rsync mailing list