Daemon-mode authentication documentation
cbarratt at users.sourceforge.net
cbarratt at users.sourceforge.net
Tue Jan 6 20:13:56 GMT 2004
Steve Schultze writes:
> I have found reference a couple of places on the web describing the
> details of authentication when rsync'ing with the server in
> daemon/non-shell mode. For example:
>
> http://www.linuxjournal.com/article.php?sid=6508
> "rsync's authentication mechanism, available only when run in dæmon
> mode, is based on a reasonably strong 128-bit MD5 challenge-response
> scheme. This is superior to standard FTP authentication for two
> reasons. First, passwords are not transmitted over the network and
> therefore are not subject to eavesdropping attacks."
>
> This fact is important for people who wish to optimize their transfer
> speed and minimize processor load and are not synchronizing sensitive
> data (they only wish to protect their username/password). I would
> guess that people frequently end up tunneling over ssh when their
> security requirements don't actually necessitate it.
>
> There is no mention of the encrypted authentication scheme in the rsync
> man pages or on the site, as far as I can tell. So, I have 2 requests:
>
> 1. Can someone confirm that this description of the auth mechanism is
> accurate?
Almost. It is a challenge-response scheme based on 128 bit MD4, not
MD5. The cryptographers in the audience might tell you that this is
not as secure as MD5, but direct attacks are still difficult.
However, like most challenge-response schemes, it is vulnerable to a
dictionary attack. If you sniff a challenge-response pair, you can
brute force attempt long lists of words to try to find the password.
So it is important to choose passwords that are not simple words or
combinations of words, ie: with unusual combinations of letters,
case, numbers, punctuation etc.
> 2. Can someone update the documentation?
Please propose a patch to rsync.yo or rsyncd.conf.yo.
Craig
More information about the rsync
mailing list