restricting rsync over ssh

Dave Dykstra dwd at
Thu May 30 13:56:05 EST 2002

On Wed, May 22, 2002 at 02:39:00PM -0700, Mike Rubel wrote:
> > > If so, I am trying to find the best way to restrict rsync -e ssh on the
> > > remote machine.  Prepending the authorized_keys entry with
> > > command='rsync ...' 1024... results in the 'Protocol mismatch - is your
> > > shell clean?' error.
> This brings up an interesting question.  Does anyone use the server
> version of rsyncd with an ssh tunnel?  In other words:
> On the server, bring up sshd listening on *:22, and rsyncd accepting
> connections from localhost only, port 873.
> Then, on the client machine, set up an ssh tunnel:
> ssh server -L 1873:server:873
> (I just picked 1873 for convenience; you could use any open
> user-accessible port).
> Then rsync to localhost:1873, letting ssh carry the connection over the
> tunnel to the server:
> rsync rsync://user@localhost:1873/path/to/source dest
> Does anyone use this approach?  Are there any advantages/disadvantages?

I didn't see any respones to your message so I guess it isn't very widely
done.  I haven't tried it but I don't see why it wouldn't work.  You could
probably use "hosts allow = localhost" to disallow people from using port
873 directly.

The solution we've been wanting to put in is JD Paul's patch to run 
rsync --daemon directly over ssh.  That would be easier to use because you
don't have to have to have anything listening on a port.

- Dave Dykstra

More information about the rsync mailing list