rsync and kerberos

Bacchella Fabrice fabrice.bacchella at
Mon Aug 25 16:58:38 GMT 2008

Le 22 août 08 à 19:24, Simo Sorce a écrit :

> On Fri, 2008-08-22 at 17:57 +0200, Bacchella Fabrice wrote:
>> I would like to use gssapi authentication in rsync. GSSAPI is the
>> standard way to use kerberos.

>> Any help and advice is welcome.
> If you can use ssh then use ssh+GSSAPI auth and you will have to  
> change
> nothing.
> But kerberizing the protocol itself is a *very* good idea,  
> especially if
> you use also use singing and sealing using GSSAPI.
> I very much look forward any patch in this area, and I hope other  
> rsync
> developers can help you to chape them down so that they can rapidly be
> accepted upstream.
> I'd be happy also to test patches when they are ready if you post them
> somewhere.
> Simo.

A first shoot.

This patch only add gssapi authentication, I wanted it to be simple  
and fast to code.

I add the following command in the protocol :
GSS <host principal>

to use it juste add :
        use gssapi = yes

in your conf
the auth users should be kerberos principal.

configure try to detect gssapi but it can be disabled by --without- 

This is a first draft. Comments are welcome

There is an added file and a patch, as i'm not very fluent in git. I  
don't know how to generate a single diff.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: gss-auth.tar.bz2
Type: application/bzip2
Size: 4944 bytes
Desc: not available
Url :
-------------- next part --------------

I tried it on a gentoo Linux and Solaris 10, it works fine. There is  
still a minor glitch in Mac OS 10.5 : it the ticket for the service  
(host/fqdn at DOMAIN) don't alreay exist, it's unable to get it. I don't  
know why.

More information about the rsync mailing list