Date: Thu, 7 Jun 2001 11:26:22 +0200 (CEST) From: Alexander Leidinger <Alexander@Leidinger.net> To: jim@siteplus.net Cc: richz@superhero.org, freebsd-isp@FreeBSD.ORG Subject: Re: rsync for mirroring Message-ID: <200106070926.f579QN217410@Magelan.Leidinger.net> In-Reply-To: <Pine.BSF.4.21.0106061948150.1844-100000@veager.siteplus.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6 Jun, Jim Weeks wrote:
>> I haven't read the article, but if I read the above paragraph: No! Don't
>> rely on security by obscurity!
>>
>> If you run ssh as root: just do ssh port forwarding and only allow
>> connections to the rsync daemon from localhost. Now just connect the
>> rsync client to the ssh tunnel.
>> But: do this only if you trust the users on the system where the rsync
>> daemon runs.
>
> Alexander,
>
> I may have been misunderstood. I am not proposing running ssh as root. I
> am referring to running rsyncd as uid-root and gid-wheel in order to copy
> such files as master.passwd. As I understand it, the rsyncd daemon runs
> as read only in the default configuration. Also, you may use any
> nondescript rsync-username and password combination to initiate the
> transfer of files. In this instance, ssh is only used as the transport
> agent. Login security is handled by rsyncd, and with the aid of ssh is
> encrypted.
How does rsync use ssh if it connects to an rsyncd?
rsyncd runs on a specific port and waits for connections to this port
(which ssh doesn't do). In the rsyncd case the password will be
encrypted (128 bit MD4 based challenge response system), the data will
not be encrypted (ssh isn't used).
Using rsync over ssh opens a connection via ssh to the other host,
starts rsync and pipes the data through the encrypted ssh connection
from one instance of rsync to the other instance of rsync (no rsyncd
involved here).
You didn't want to share your master.passwd with the world, right? So
you have to either refuse to use rsyncd, or you have to do ssh port
forwarding, tunnel the rsync connection through it ("rsync ...
rsync:myself@localhost:<portnum you use for forwarding>/...") and only
allow connections to rsyncd from localhost.
Bye,
Alexander.
--
Where do you think you're going today?
http://www.Leidinger.net Alexander @ Leidinger.net
GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200106070926.f579QN217410>