Daemon connection security [Re: error code 10 when using ::]
Matt McCutchen
matt at mattmccutchen.net
Wed Jan 2 02:42:39 GMT 2008
On Wed, 2008-01-02 at 03:20 +0100, Olivier Thauvin wrote:
> IIRC, rsync protocol do not transfert password in clear text, but use a
> challenge method to perform the password verification.
>
> This mean either with rsync or ssh, the authentication is "secure". But saying
> both are secure is not enough, it depend the security level you want.
>
> When you use ssh, all data are completely encrypted, you can use either ssh
> key or password authentication.
> When you use rsync daemon, transfert are faster (no encryption eating CPU),
> but anyone being on the network can snif traffic, then getting data.
To elaborate: Rsync daemon connections do not even have integrity
checking, so an attacker who controls the network could watch the
authentication happen and then take over the connection and perform his
own transfer. Rsync daemon authentication assumes that clients can make
uninterceptible connections to the daemon; it simply provides a way to
restrict module access to a subset of those clients. All the
challenge-response does is avoid the compromise of daemon passwords,
e.g., when an unredacted transcript of a connection is attached to a bug
report.
Matt
More information about the rsync
mailing list