On 7/19/07, Alan Cheers <[EMAIL PROTECTED]> wrote:
I think I understand a bit better now. To use SSH you don't get to use the daemon (unless you specify the remote shell/which may cause loss of features).
Well, you have the choice of (1) a single-use daemon invoked over ssh or (2) a connection proxied or forwarded by ssh to a background daemon. In general, if you merely want to use an rsync feature that is available only when using a daemon, you would invoke a single-use daemon (#1) in your own remote account. On the other hand, if you want a daemon that authenticates untrusted users and then offers them carefully controlled access, you would usually set up a background daemon (#2) and then add the ssh if you need the encryption or firewall-bypassing. To do #1, all you have to do is move the configuration file on the daemon side if necessary (the daemon looks for it by default in the remote home directory instead of /etc) and pass "-e ssh" on the client. To do #2...
I am still interested in encrypting the traffic AND using a daemon. The manual says something to the effect of using SSH to tunnel a local port to a remote machine and configure a normal rsync daemon to accept localhost traffic. Can you explain the tunneling a port part?
This would be the fourth method on http://rsync.samba.org/firewall.html . On the client, you tell ssh to forward connections to a local port of your choice to the remote port on which the daemon is listening. That means that, every time something on your computer connects to the local port, the local ssh signals the remote ssh to open a corresponding connection to the daemon's port. The two ssh processes then pass the data back and forth over the encrypted connection so that, for all the rsync client can tell, it is talking directly to the daemon. This setup guarantees that no one can snoop on your own exchange with the daemon but does nothing to stop others from connecting to it themselves and accessing the modules. You can block this in either or both of two places: (1) stop others from connecting to the daemon, or (2) set up authentication on the daemon so they can't access modules once they connect. To do #2, create a secrets file and set "auth users"; see the rsyncd.conf man page. For #1, you're already safe if a firewall blocks connections to the daemon port from outside a private network whose users you all trust. If not, you can tell the daemon to accept connections only from the remote machine itself by setting "address = localhost"; then you're in danger only from users who can log into the remote machine via ssh or similar means and make such connections. Notwithstanding that paragraph, if you forward a local port to the daemon's port, you're additionally in danger of others on the local machine piggybacking on that forward. Using a ProxyCommand in place of a port forward (see method 2 on http://rsync.samba.org/firewall.html ) doesn't have the piggybacking problem and also tends to be more convenient. Matt -- To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html