rsync over ssl (again)

Phil Howard phil at hamal.ipal.net
Thu Aug 22 05:38:00 EST 2002


A while back, I asked if there had been any consideration in making
rsync support direct ssl (as opposed to just ssh).  I've been looking
around for a secure way (e.g. encrypted, so passwords are never in
the clear, and even content is obscured from sniffers) to allow a
set of limited-trust users (limited-trust being defined as mostly
customers, whom you trust with their own data, but not with shell
accounts and such) to access data using rsync (or I guess we might
call it "srsync").

Fortunately things like pop3 and imap4 have secure equivalents.
But I also have a need to give users the ability to upload and
download their own data securely, and the only good tool to do
that without granting them something that might open a shell for
them is https.  But for large transfers, that just does not work
very well, and I think rsync would be a much better answer if
the security issue can be worked out.

The server side can be readily done through something like stunnel.
But on the client side, stunnel would be cumbersome considering the
user base involved.

If this can be done, I'd also like to see if there is some way to
overload the usage of port 873 for both insecure and secure usage.
I don't know how the protocol works, but if it does enough of the
right startup negotiation, it might be possible to safely decide
if the session needs to be done securely, then switch to secure
mode and restart the session negotiation (including server identity
certification validation).  Any thoughts on this?

-- 
-----------------------------------------------------------------
| Phil Howard - KA9WGN |   Dallas   | http://linuxhomepage.com/ |
| phil-nospam at ipal.net | Texas, USA | http://ka9wgn.ham.org/    |
-----------------------------------------------------------------



More information about the rsync mailing list