Incremental file updates over a network, NFS?

jp jp at saucer.midcoast.com
Tue Mar 18 20:46:23 GMT 2008


For internal stuff, there is a hosts allow/deny feature built right into 
the rsync configuration file to allow rsync storageplaces access to only 
from a particular IP address.

For general Internet stuff, I too did not want interactive logins, thus 
preventing the ssh key method of using ssh to encrypt/authenticate.

I have setup an OpenVPN server on the linux rsync server, and that uses 
PKI for the encryption/authentication. OpenVPN is a good UDP based VPN 
system. Basically you make a script to create a key for each customer 
when you setup their rsync config. They will use the server's public key 
and their own key to connect and encrypt between them and the server. 
You get encryption, but don't need user accounts. You generate the 
certificates yourself using the OpenVPN openssl scripts, and can revoke 
the certs for client who should no longer connect to the rsync server. 
Rsync can use it's own protocol for rsync traffic in this situation.


On Fri, Mar 14, 2008 at 03:00:50PM +0100, Andy Smith wrote:
> Ok, thanks for the info. That seems to open up the issue of network 
> security (yes NFS security normally isnt great, but...)
> 
> rsyncd native: is this bug free and secure (based on 
> hosts_allow/hosts_deny?), perhaps a good solution with tcpwrappers? 
> rsh: no thanks ssh: dont really want to have to put public private 
> keys on systems to allow non interactive logons
> 
> Any comments on the above assesment or advise from others regarding 
> security?
> 
> thanks Andy.
>   Rsync works on a client/server system. So it's recommended to 
> install rsync on both machines (your and the server), so you bypass 
> NFS and connect to the server via rsync protocol. That's the way to 
> use the delta incremental algorithm. -- To unsubscribe or change 
> options: https://lists.samba.org/mailman/listinfo/rsync Before 
> posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

-- 
/*
Jason Philbrook   |   Midcoast Internet Solutions - Wireless and DSL
    KB1IOJ        |   Broadband Internet Access, Dialup, and Hosting 
 http://f64.nu/   |   for Midcoast Maine    http://www.midcoast.com/
*/


More information about the rsync mailing list