rsync and SSL

Dave Dykstra dwd at
Tue Sep 18 03:10:45 EST 2001

On Fri, Sep 14, 2001 at 10:29:37PM -0500, Phil Howard wrote:
> Dave Dykstra wrote:
> > If stunnel doesn't work, how about this idea: what if you hand out an
> > unencrypted SSH "private" key to all users, and put in a .ssh/authorized_keys
> > on the server with a forced command that restricts what the users can do
> > to specific rsync commands?  That will still encrypt the connection, and
> > even though the authentication key will be well-known it should be safe
> > because the authentication key is independent of the encryption key.
> My concern with SSH is making it function with an authentication space
> different than the /etc/passwd space, and absolutely ensuring that there
> is no way anyone accessing via SSH could execute any other command.
> I'm quite confident rsync will work over stunnel.  But I don't know if
> there is any effort to "standardize" a different port number for rsync
> over ssl.

No, there hasn't.  Is 874 available?

> In a separate project I'm developing a new POP3 server, and
> will be looking at integrating SSL, probably with code from stunnel,
> so the logic of the server operates with the direct knowledge of where
> the connection comes from.  One way that I might do this is for an SSL
> connection, to launch an additional process to handle the SSL layer
> just like stunnel, perhaps actually running that code.  For rsync, this
> might also be a way to do it.  Integrating it a client could be even
> more useful.

This has been talked about before but never done.  See for instance
the thread starting at

Nobody has mentioned trying rsync with with stunnel according to my saved
rsync-related email.

Somebody made an rsync SASL patch but I really don't know if or how that's
related to SSL.  That posting is at

- Dave Dykstra

More information about the rsync mailing list