Aw: Re: encrypted rsyncd - why was it never implemented?

Kevin Korb kmk at sanitarium.net
Wed Dec 3 13:41:48 MST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes, that would work but as you say it would only work for key
authentication and you would have to control the users'
authorized_keys files.

Also, that isn't the one that would require %h or %u.  The alternative
would be something like:
command="/path/to/rrsync [-ro] /path/to/allow"

I actually use this myself for a couple of cron rsyncs.  They use
special unencrypted keys that are only allowed to do these things.

On 12/03/2014 03:38 PM, Karl O. Pinc wrote:
> On 12/03/2014 01:37:58 PM, Kevin Korb wrote:
>> As far as a backup provider goes I wouldn't expect them to use
>> rsync over SSL unless that were built into rsync in the future
>> (and has been around long enough that most users would have it).
>> 
>> I would expect them to either use rsync over ssh secured by
>> rrsync or rsyncd over ssh with them managing the rsyncd.conf
>> file.  Either way the server side command would be forced and no
>> other ssh functionality would be allowed.
> 
> <snip>
> 
>> I am thinking of something like this with in sshd_config with 
>> whichever ForceCommand they would pick:
>> 
>> Match Group backupusers X11Forwarding no AllowTcpForwarding no 
>> ForceCommand /usr/bin/rsync --server --daemon . ForceCommand
>> /usr/bin/rrsync-wrapper
>> 
>> Note that a wrapper or modification would be needed for rrsync
>> since sshd_config doesn't support %u or %h in ForceCommand :(
> 
> I am using command="rsync --server --daemon ." in
> ~/ssh/authorized_keys.  Correct me if I'm wrong, but I believe this
> eliminates the need for %u or %h and ForceCommand.
> 
> It does mean that key based authentication is required, but this
> does not seem burdensome for a backup oriented solution.
> 
> 
> Karl <kop at meme.com> Free Software:  "You don't pay back, you pay
> forward." -- Robert A. Heinlein
> 

- -- 
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
	Kevin Korb			Phone:    (407) 252-6853
	Systems Administrator		Internet:
	FutureQuest, Inc.		Kevin at FutureQuest.net  (work)
	Orlando, Florida		kmk at sanitarium.net (personal)
	Web page:			http://www.sanitarium.net/
	PGP public key available on web site.
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlR/dYwACgkQVKC1jlbQAQeHSwCfSIsNMu9IVkgI4o9yYr53bNrQ
I7YAoJcV/B87lugWfkfNjRKkPOGA+hxq
=B4Db
-----END PGP SIGNATURE-----


More information about the rsync mailing list