Individual User Auth without SSH or stand alone passwd file...
Bill Uhl
bill at greenlightnet.com
Tue Oct 10 12:05:42 GMT 2006
Michael,
What if you don't run rsync in daemon mode? From the rsync man page...
USING RSYNC-DAEMON FEATURES VIA A REMOTE-SHELL CONNECTION
It is sometimes useful to use various features of an rsync daemon (such
as named modules) without actually allowing any new socket connections
into a system (other than what is already required to allow remote-shell
access). Rsync supports connecting to a host using a remote shell and
then spawning a single-use "daemon" server that expects to read its
config file in the home dir of the remote user.
--------
You could set up sshd on the server to accept password logins and accept
logins from all of your users. sshd should be able to use pam or
whatever password backend your system has set up. Each user might have a
~/.ssh/ dir, if needed. Try to lock down access to the sshd to the local
net if you are accepting passwords.
You could put a default ~/rsyncd.conf in the users home and have them
invoke rsync as a single-use "daemon". You could probably set up the
rsyncd.conf in the skel dir for setting up new users. In this mode, you
don't need to have rsync do a separate auth. The sshd will restrict the
user to whatever their rights are on the server, so they won't access
other's files. Since the connection is in the user's context, the files
will automatically be owned by the user and will not need to be chown'd.
You shouldn't need to set up rsync in the inet daemon as sshd will spawn
the rsync on the server on demand.
On the windows side, you can create a batch file that will run the
appropriate rsync command and back up the files in a user maintained
include/exclude file. You could set this up in the scheduler on the
windows system as well.
While I have not set this up as an end to end system, I have used all of
this as different pieces at one time or another and they can all be made
to work. It shouldn't be too hard to put the pieces together to provide
a system that's relatively simple to maintain.
Just FYI...
I used to use an rsync patch to use an ldap backend. Because of the
nature of password authentication in rsync, it required a separate
password from the system password because the rsync password needed to
be in plain text. I have not found a copy of a current version of the
patch since rsync 2.6.4, I think. I don't know if it is still being
maintained.
Another alternative to consider...
Train your users not to or don't let them keep important files on their
workstations. All important files should be kept on the server, where
they can be properly protected and backed up. Since windows workstations
have a nasty habit of becoming unstable, it is better to consider the
workstation build disposable, in case stupid user tricks make a rebuild
necessary. With a change in the registry, the user's default 'Documents
and Settings' subtree can be directed to a network share on your server.
Just a thought...
Bill Uhl
GreenLight Networks, LLC
More information about the rsync
mailing list