Question on encryption

Dave Dykstra dwd at bell-labs.com
Fri Dec 21 09:45:52 EST 2001


On Thu, Dec 20, 2001 at 04:21:52PM -0500, George Sinclair wrote:
> I am not currently subscribed so please email me below.
> 
> First, my only experience with rsync has been older versions (e.g.
> 1.7.x) which did not allow daemon mode, so please bear with me.
> 
> My problem is that I would like to mirror large quantities of data on a
> remote machine to a local one, but I don't care about encrypting the
> data itself. I only care about securing the connection from the
> authentication point of view. Okay, I must admit that I like SSH because
> it protects the end user from a variety of attacks, but what I'm saying
> is that I don't care if people look at the data. Typically, this
> mirroring has been done using just the local client's rsync program in
> conjunction with ssh (both on the client and sshd on the remote
> machine):
> 
> rsync --delete --rsh ssh --rsync-path /path_to_rsync/rsync -rlpt
> sourcedir remote_host/target_dir/
> 
> The problem, however, is that due to the large size of the data, and the
> slowness typically suffered under encryption, the remote machine crawls
> to a halt or is seriously impaired. Working with small numbers of files
> or infrequent mirrors, the encryption is not a problem, but it gets to
> be a burden when you're doing this every night on a lot of data. Some
> have suggested using something like 'blowfish -c' instead of the default
> to speed things up by perhaps a factor of 3. Anyway, here is my
> question:
> 
> Does running rsync in daemon mode on the remote host preclude the need
> to use SSH from the client? If so, how secure is this versus using rsync
> in non daemon mode with SSH? I have considered building SSH to not use
> encryption, but I was thinking rsync in daemon mode might obviate the
> need to have to use SSH if it can still be made secure.


Unfortunately, the answer is no.  The rsync daemon can protect access with
passwords that are not sent in the clear over the network, but it does not
do anything to guarantee that hosts are not being spoofed and that there's
no man-in-the-middle.  The answer for people who use that has always been
to use ssh.

- Dave Dykstra




More information about the rsync mailing list