rsync via tunnel - 3 boxes separated by internet [solved]
me at heyjay.com
Wed Aug 24 19:25:57 GMT 2005
Hi Wayne, I'm not subscribed anymore, but I once sent you this
example/FAQ. I searched the archives (because I needed to implement
this) and noticed I never posted the solution (like a dummy). Would you
post it for me?
Backing up through a firewall
Its very common to have a setup where you can not reach the machine you
want to backup directly, because it is behind a firewall. Below are
(layout1): you --internet-- firewall -- target
(layout2): you --internet-- firewall -- ssh server -- target
where the "firewall" either lets you log in directly using ssh or the
firewall forwards ssh connections to another machine "ssh server" which
you can log into.
Either way you can't log into the "target" directly from the outside,
but the files you want to back up live on the target.
Below are 2 methods for accomplishing this feat, both have advantages
and disadvantages, your choice.
Method #1 - Use ssh to hop to the target machine
1) Configure passwordless login from the machine which you can log into
(the "firewall" in layout1 and the "ssh server" in layout2) to "target".
Numerous examples of configuring this exist a google away, but in
general on the machine you can log into, you create a public/private key
pair. Copy the public key to the "target" and append the contents of the
public key to the .ssh/auauthorized_keys file.
2) execute your rsync command - its that easy
you~$ rsync -av --rsync-path="ssh target rsync" firewall:/source/ /dest/
This command looks like it is copying a file from the firewall, but the
remote command run on the firewall to start rsync really
contacts the target and runs the remote rsync there, so "/source/"
is coming from the target.
Advantages of Method #1
* you can do it without any sys admin help (avoid the BOFH)
* you can backup any file to which you have access to on the target
Disadvantages of Method #1
* you have to manage you public/private keys
* adds another security hole in that if your login onto the
firewall or ssh server is compromised, the invader can reach the target
Method #2 - Install and configure an rsync server on the target and use
an ssh tunnel to reach the rsync sever
Installing the rsync server is beyond the scope of this document, but
again it's just a google away.
Once your rsync server is up and running you build an ssh tunnel through
you firewall like:
you~$ ssh -N -l userid_on_firewall -L 873:target:873 firewall
What this does is connects to the firewall, and directs port 873 on
"you" through the ssh tunnel, and out the other end at port 873 on the
Now when rsync is executed, which talks on port 873, the conversation is
directed to the target.
In another window execute
you~$ rsync -arv localhost::<rsync_server_module_name>/source ./dest
Advantages of Method #2
* If you are the one administering the rsync server, you have finer
control over who can access what files
* Removes the passwordless access to the target machine
Disadvantages of Method #2
* More issues with file permissions
* More servers running more stuff to administer
More information about the rsync