Aw: Re: encrypted rsyncd - why was it never implemented?

Karl O. Pinc kop at meme.com
Wed Dec 3 13:38:15 MST 2014


On 12/03/2014 01:37:58 PM, Kevin Korb wrote:
> As far as a backup provider goes I wouldn't expect them to use rsync
> over SSL unless that were built into rsync in the future (and has 
> been
> around long enough that most users would have it).
> 
> I would expect them to either use rsync over ssh secured by rrsync or
> rsyncd over ssh with them managing the rsyncd.conf file.  Either way
> the server side command would be forced and no other ssh 
> functionality
> would be allowed.

<snip>

> I am thinking of something like this with in sshd_config with
> whichever ForceCommand they would pick:
> 
> Match Group backupusers
>   X11Forwarding no
>   AllowTcpForwarding no
>   ForceCommand /usr/bin/rsync --server --daemon .
>   ForceCommand /usr/bin/rrsync-wrapper
> 
> Note that a wrapper or modification would be needed for rrsync since
> sshd_config doesn't support %u or %h in ForceCommand :(

I am using command="rsync --server --daemon ." 
in ~/ssh/authorized_keys.  Correct me if I'm wrong,
but I believe this eliminates the need for %u or %h
and ForceCommand.

It does mean that key based authentication is required,
but this does not seem burdensome for a backup oriented
solution.


Karl <kop at meme.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein


More information about the rsync mailing list