restricting rsync over ssh
dwd at bell-labs.com
Thu May 30 13:56:05 EST 2002
On Wed, May 22, 2002 at 02:39:00PM -0700, Mike Rubel wrote:
> > > If so, I am trying to find the best way to restrict rsync -e ssh on the
> > > remote machine. Prepending the authorized_keys entry with
> > > command='rsync ...' 1024... results in the 'Protocol mismatch - is your
> > > shell clean?' error.
> This brings up an interesting question. Does anyone use the server
> version of rsyncd with an ssh tunnel? In other words:
> On the server, bring up sshd listening on *:22, and rsyncd accepting
> connections from localhost only, port 873.
> Then, on the client machine, set up an ssh tunnel:
> ssh server -L 1873:server:873
> (I just picked 1873 for convenience; you could use any open
> user-accessible port).
> Then rsync to localhost:1873, letting ssh carry the connection over the
> tunnel to the server:
> rsync rsync://user@localhost:1873/path/to/source dest
> Does anyone use this approach? Are there any advantages/disadvantages?
I didn't see any respones to your message so I guess it isn't very widely
done. I haven't tried it but I don't see why it wouldn't work. You could
probably use "hosts allow = localhost" to disallow people from using port
The solution we've been wanting to put in is JD Paul's patch to run
rsync --daemon directly over ssh. That would be easier to use because you
don't have to have to have anything listening on a port.
- Dave Dykstra
More information about the rsync