rsync through multiple ssh hops with password
hashproduct at verizon.net
Thu Oct 27 21:09:38 GMT 2005
On Thu, 2005-10-27 at 21:48 +0100, Manuel López-Ibáñez wrote:
> Method 1: no rsync daemon server, passwordless authentication in middle
> Method 2: no rsync daemon server, using SSH proxy
> Method 3: no rsync daemon server, using SSH port forwarding
> Method 4: no rsync daemon server, using SSH tunnel
The difference between #3 and #4 is not port forwarding vs. tunnel
(we've been using the terms synonymously) but SSH port vs. rsync daemon
port. Here's how I would summarize all the methods:
#1: Rsync runs a chained SSH command as transport; authentication on
middle must be passwordless
#2: Rsync SSH-es to target using a proxy command that first SSH-es to
#3: Forward target's SSH port to a local port; rsync SSH-es to that port
#4: Run rsync daemon on target and forward its port to a local port;
rsync accesses the daemon using that port
I dislike #1 because the middle machine can subvert the connection. I
dislike #3 and #4 because (a) one must remember to set up and take down
the tunnel and (b) others can take advantage of the tunnel. (If, as
many hope, SSH learns to forward filesystem sockets, (b) will go away.)
Except for some technicalities in how the proxy connection closes, #2 is
the ideal technique, and that's what I use to access my school's
firewalled backup machine.
The updated FAQ is very nice, but perhaps the "rsync through a firewall"
section should be factored out into another page because it occupies
more than half of the FAQ page.
Incidentally, I set up SSH on my machine to prefer password
authentication to keyboard-interactive authentication; now the password
prompt shows the target user and host. Thanks, Carson!
Matt McCutchen, ``hashproduct''
hashproduct at verizon.net -- http://mysite.verizon.net/hashproduct/
More information about the rsync