Individual User Auth without SSH or stand alone passwd file...

Bill Uhl bill at greenlightnet.com
Tue Oct 10 12:05:42 GMT 2006 

Michael,

What if you don't run rsync in daemon mode? From the rsync man page...

USING RSYNC-DAEMON FEATURES VIA A REMOTE-SHELL CONNECTION
It is sometimes useful to use various features of an rsync daemon (such 
as named modules) without actually allowing any new socket connections 
into a system (other than what is already required to allow remote-shell 
access). Rsync supports connecting to a host using a remote shell and 
then spawning a single-use "daemon" server that expects to read its 
config file in the home dir of the remote user.
--------

You could set up sshd on the server to accept password logins and accept 
logins from all of your users. sshd should be able to use pam or 
whatever password backend your system has set up. Each user might have a 
~/.ssh/ dir, if needed. Try to lock down access to the sshd to the local 
net if you are accepting passwords.

You could put a default ~/rsyncd.conf in the users home and have them 
invoke rsync as a single-use "daemon". You could probably set up the 
rsyncd.conf in the skel dir for setting up new users.  In this mode, you 
don't need to have rsync do a separate auth. The sshd will restrict the 
user to whatever their rights are on the server, so they won't access 
other's files. Since the connection is in the user's context, the files 
will automatically be owned by the user and will not need to be chown'd.

You shouldn't need to set up rsync in the inet daemon as sshd will spawn 
the rsync on the server on demand.

On the windows side, you can create a batch file that will run the 
appropriate rsync command and back up the files in a user maintained 
include/exclude file. You could set this up in the scheduler on the 
windows system as well.

While I have not set this up as an end to end system, I have used all of 
this as different pieces at one time or another and they can all be made 
to work. It shouldn't be too hard to put the pieces together to provide 
a system that's relatively simple to maintain.

Just FYI...
I used to use an rsync patch to use an ldap backend. Because of the 
nature of password authentication in rsync, it required a separate 
password from the system password because the rsync password needed to 
be in plain text. I have not found a copy of a current version of the 
patch since rsync 2.6.4, I think. I don't know if it is still being 
maintained.

Another alternative to consider...
Train your users not to or don't let them keep important files on their 
workstations. All important files should be kept on the server, where 
they can be properly protected and backed up. Since windows workstations 
have a nasty habit of becoming unstable, it is better to consider the 
workstation build disposable, in case stupid user tricks make a rebuild 
necessary. With a change in the registry, the user's default 'Documents 
and Settings' subtree can be directed to a network share on your server. 
Just a thought...

Bill Uhl
GreenLight Networks, LLC

More information about the rsync mailing list