rsync through multiple ssh hops with password authentication prompt

Manuel López-Ibáñez manuellopezibanez at
Thu Oct 27 21:28:50 GMT 2005

Yes, your explanations are better. I will promote #2 to become #1, since 
it is more likely the one that will work better in all situations.

Another thing is... if you can use "Method #2 Rsync SSH-es to target 
using a proxy command that first SSH-es to middle" also with rsync 
daemon servers, then: is there any possible advantage on the other three 
methods? If not, can we remove everything but just Method #2 possible 
with another example using a rsync daemon server? You know, I remember 
some say about keeping things simple "something".


Matt McCutchen wrote:
> On Thu, 2005-10-27 at 21:48 +0100, Manuel López-Ibáñez wrote:
>>Method 1: no rsync daemon server, passwordless authentication in middle 
>>Method 2: no rsync daemon server, using SSH proxy
>>Method 3: no rsync daemon server, using SSH port forwarding
>>Method 4: no rsync daemon server, using SSH tunnel
> The difference between #3 and #4 is not port forwarding vs. tunnel
> (we've been using the terms synonymously) but SSH port vs. rsync daemon
> port.  Here's how I would summarize all the methods:
> #1: Rsync runs a chained SSH command as transport; authentication on
> middle must be passwordless
> #2: Rsync SSH-es to target using a proxy command that first SSH-es to
> middle
> #3: Forward target's SSH port to a local port; rsync SSH-es to that port
> #4: Run rsync daemon on target and forward its port to a local port;
> rsync accesses the daemon using that port
> I dislike #1 because the middle machine can subvert the connection.  I
> dislike #3 and #4 because (a) one must remember to set up and take down
> the tunnel and (b) others can take advantage of the tunnel.  (If, as
> many hope, SSH learns to forward filesystem sockets, (b) will go away.)
> Except for some technicalities in how the proxy connection closes, #2 is
> the ideal technique, and that's what I use to access my school's
> firewalled backup machine.
> The updated FAQ is very nice, but perhaps the "rsync through a firewall"
> section should be factored out into another page because it occupies
> more than half of the FAQ page.
> Incidentally, I set up SSH on my machine to prefer password
> authentication to keyboard-interactive authentication; now the password
> prompt shows the target user and host.  Thanks, Carson!

Renovamos el Correo Yahoo! 
Nuevos servicios, más seguridad

More information about the rsync mailing list