Rsync via two ssh tunnels possible (standard method mentioned k times not possible?)

Matt McCutchen matt at
Sat Dec 13 05:10:23 GMT 2008

On Fri, 2008-12-12 at 12:56 +0100, Roman Fiedler wrote:
> The goal is to sync two directories using rsync without running the 
> rsync daemon on one of the two hosts. The standard shell sync does not 
> work because of the network topology:
> Ssh connect to SRC-Host
>         ^
> Base host (with ssh keys)
>         v
> Ssh connect to bridge with tunnel for next ssh
>         v
> Ssh connect to DST host via bridge.
> No direct connection SRC/DST is possible, the ssh keys only reside on 
> base host and cannot be copied to any other host.
> My idea was to create ssh tunnels (plain port forward) from DST:4444 to 
> base:5555, base:5555 to SRC:6666 (result tunnel DST:4444->SRC:6666) and 
> run on SRC:
>    nc -lp 6666 -e rsync --server -a . .
> and something like that at DST
>    rsync -a rsync://localhost:4444/ .
> but that fails on src side with:
>    protocol version mismatch -- is your shell clean?
>    (see the rsync man page for an explanation)
>    rsync error: protocol incompatibility (code 2) at compat.c(61) 
> [receiver=2.6.9]

That's a good idea.  The only problem is that the receiver is expecting
to speak the daemon protocol since you used an rsync:// URL, but the
sender is playing the role of a bare server.

I suggest you just replace your "nc" command with an rsync daemon
listening on port 6666 on the SRC machine.  This isn't any less secure
than what you're trying now.

If you really don't want an rsync daemon anywhere in the picture (though
I'm not clear on why), you could use a single-colon source argument with
"-e 'nc localhost 4444 #'" to have the client connect to the forwarded
port and expect a bare server.  But then it's your responsibility to
make sure the server arguments on SRC are correct; rsync may crash if
they aren't.


More information about the rsync mailing list