Incremental file updates over a network, NFS?
jp
jp at saucer.midcoast.com
Tue Mar 18 20:46:23 GMT 2008
For internal stuff, there is a hosts allow/deny feature built right into
the rsync configuration file to allow rsync storageplaces access to only
from a particular IP address.
For general Internet stuff, I too did not want interactive logins, thus
preventing the ssh key method of using ssh to encrypt/authenticate.
I have setup an OpenVPN server on the linux rsync server, and that uses
PKI for the encryption/authentication. OpenVPN is a good UDP based VPN
system. Basically you make a script to create a key for each customer
when you setup their rsync config. They will use the server's public key
and their own key to connect and encrypt between them and the server.
You get encryption, but don't need user accounts. You generate the
certificates yourself using the OpenVPN openssl scripts, and can revoke
the certs for client who should no longer connect to the rsync server.
Rsync can use it's own protocol for rsync traffic in this situation.
On Fri, Mar 14, 2008 at 03:00:50PM +0100, Andy Smith wrote:
> Ok, thanks for the info. That seems to open up the issue of network
> security (yes NFS security normally isnt great, but...)
>
> rsyncd native: is this bug free and secure (based on
> hosts_allow/hosts_deny?), perhaps a good solution with tcpwrappers?
> rsh: no thanks ssh: dont really want to have to put public private
> keys on systems to allow non interactive logons
>
> Any comments on the above assesment or advise from others regarding
> security?
>
> thanks Andy.
> Rsync works on a client/server system. So it's recommended to
> install rsync on both machines (your and the server), so you bypass
> NFS and connect to the server via rsync protocol. That's the way to
> use the delta incremental algorithm. -- To unsubscribe or change
> options: https://lists.samba.org/mailman/listinfo/rsync Before
> posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
--
/*
Jason Philbrook | Midcoast Internet Solutions - Wireless and DSL
KB1IOJ | Broadband Internet Access, Dialup, and Hosting
http://f64.nu/ | for Midcoast Maine http://www.midcoast.com/
*/
More information about the rsync
mailing list