rsync and SSL
Dave Dykstra
dwd at bell-labs.com
Tue Sep 18 03:10:45 EST 2001
On Fri, Sep 14, 2001 at 10:29:37PM -0500, Phil Howard wrote:
> Dave Dykstra wrote:
>
> > If stunnel doesn't work, how about this idea: what if you hand out an
> > unencrypted SSH "private" key to all users, and put in a .ssh/authorized_keys
> > on the server with a forced command that restricts what the users can do
> > to specific rsync commands? That will still encrypt the connection, and
> > even though the authentication key will be well-known it should be safe
> > because the authentication key is independent of the encryption key.
>
> My concern with SSH is making it function with an authentication space
> different than the /etc/passwd space, and absolutely ensuring that there
> is no way anyone accessing via SSH could execute any other command.
>
> I'm quite confident rsync will work over stunnel. But I don't know if
> there is any effort to "standardize" a different port number for rsync
> over ssl.
No, there hasn't. Is 874 available?
> In a separate project I'm developing a new POP3 server, and
> will be looking at integrating SSL, probably with code from stunnel,
> so the logic of the server operates with the direct knowledge of where
> the connection comes from. One way that I might do this is for an SSL
> connection, to launch an additional process to handle the SSL layer
> just like stunnel, perhaps actually running that code. For rsync, this
> might also be a way to do it. Integrating it a client could be even
> more useful.
This has been talked about before but never done. See for instance
the thread starting at
http://lists.samba.org/pipermail/rsync/2000-October/003041.html
Nobody has mentioned trying rsync with with stunnel according to my saved
rsync-related email.
Somebody made an rsync SASL patch but I really don't know if or how that's
related to SSL. That posting is at
http://lists.samba.org/pipermail/rsync/1999-July/001250.html
- Dave Dykstra
More information about the rsync
mailing list