Date: Wed, 6 Jun 2001 20:12:12 -0400 (EDT) From: Jim Weeks <jim@siteplus.net> To: Alexander Leidinger <Alexander@leidinger.net> Cc: erichz@superhero.org, freebsd-isp@FreeBSD.ORG Subject: Re: rsync for mirroring Message-ID: <Pine.BSF.4.21.0106061948150.1844-100000@veager.siteplus.net> In-Reply-To: <200106061435.f56EZw018621@Magelan.Leidinger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 6 Jun 2001, Alexander Leidinger wrote: > > I haven't read the article, but if I read the above paragraph: No! Don't > rely on security by obscurity! > > If you run ssh as root: just do ssh port forwarding and only allow > connections to the rsync daemon from localhost. Now just connect the > rsync client to the ssh tunnel. > But: do this only if you trust the users on the system where the rsync > daemon runs. Alexander, I may have been misunderstood. I am not proposing running ssh as root. I am referring to running rsyncd as uid-root and gid-wheel in order to copy such files as master.passwd. As I understand it, the rsyncd daemon runs as read only in the default configuration. Also, you may use any nondescript rsync-username and password combination to initiate the transfer of files. In this instance, ssh is only used as the transport agent. Login security is handled by rsyncd, and with the aid of ssh is encrypted. I do agree, obscurity is of very little use if you allow shell access to untrusted users. On the other hand, setting (list=false) in rsynd.conf will effectively prevent anyone from simply requesting a list of modules. As always, this is my opinion. Any one choosing to build on or adapt this information to their own use should do so with their own specific security issues in mind. -- Jim Weeks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0106061948150.1844-100000>