--password-file

lewis butler lbutler+rsync at covisp.net
Sun Feb 15 12:08:36 GMT 2009 

The man page says:

        --password-file
               This  option  allows  you  to  provide  a password in a  
file for
               accessing an rsync daemon.  The file must not be world  
readable.
               It should contain just the password as a single line.


The trouble with this is that the file then shows up like this in an ls:

2 -rw-------  1 root  wheel  9 Jan 24  2007 /var/ 
rsync.passwd.server.mount
2 -rw-------  1 root  wheel 11 Jun 30  2007 /var/ 
rsync.passwd.serv2.moun2
2 -rw-------  1 root  wheel 10 Jul 14  2008 /var/ 
rsync.passwd.tuesday.mountie

This tells everyone the exact length of each password (8 characters,  
10, characters, and 9 characters, respectively).

Granted, it's not MUCH of a security issue, and I guess the password- 
files can be stored somewhere out of reach, but it seems to be that it  
would be better if the password-file supported a format something like  
this:

## Rsync Password File
#
# updated 20090117

server::mount	password
serv2::moun2	password

# This server is only used on tuesdays
tue::mountie	password

## EOF

First off, it would let you have multiple passwords in a single file  
and second of all, it would completely conceal the lengths of each  
password.  (or some other format, even htpasswd format)


-- 
The Salvation Army Band played and the children drunk
	lemonade and the morning lasted all day, all day.
	And through an open window came like Sinatra in a
	younger day pushing the town away

More information about the rsync mailing list