Date: Wed, 6 Jun 2001 20:35:02 -0400 (EDT) From: Jim Weeks <jim@siteplus.net> To: Alexander Leidinger <Alexander@leidinger.net> Cc: erichz@superhero.org, freebsd-isp@FreeBSD.ORG Subject: Re: rsync for mirroring Message-ID: <Pine.BSF.4.21.0106062016530.1891-100000@veager.siteplus.net> In-Reply-To: <Pine.BSF.4.21.0106061948150.1844-100000@veager.siteplus.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Another thought on this subject. I suggest starting rsyncd from inetd. If I was super paranoid, I would run a cron induced shell script on the server machine that would only enable rsyncd and -HUP inetd for the short period of time the client machine needs to make the connection. It would also be a simple matter to automate setting these connection times at random since you are already sync-ing the client machine with the server. The new random connection time information could be sent along with the transfer. -- Jim Weeks On Wed, 6 Jun 2001, Jim Weeks wrote: > > On Wed, 6 Jun 2001, Alexander Leidinger wrote: > > > > I haven't read the article, but if I read the above paragraph: No! Don't > > rely on security by obscurity! > > > > If you run ssh as root: just do ssh port forwarding and only allow > > connections to the rsync daemon from localhost. Now just connect the > > rsync client to the ssh tunnel. > > But: do this only if you trust the users on the system where the rsync > > daemon runs. > > Alexander, > > I may have been misunderstood. I am not proposing running ssh as root. I > am referring to running rsyncd as uid-root and gid-wheel in order to copy > such files as master.passwd. As I understand it, the rsyncd daemon runs > as read only in the default configuration. Also, you may use any > nondescript rsync-username and password combination to initiate the > transfer of files. In this instance, ssh is only used as the transport > agent. Login security is handled by rsyncd, and with the aid of ssh is > encrypted. > > I do agree, obscurity is of very little use if you allow shell access to > untrusted users. On the other hand, setting (list=false) in rsynd.conf > will effectively prevent anyone from simply requesting a list of modules. > > As always, this is my opinion. Any one choosing to build on or adapt > this information to their own use should do so with their own specific > security issues in mind. > > -- > Jim Weeks > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0106062016530.1891-100000>