On Fri, Sep 14, 2001 at 10:29:37PM -0500, Phil Howard wrote:
Dave Dykstra wrote:
If stunnel doesn't work, how about this idea: what if you hand out an
unencrypted SSH private key to all users, and put in a .ssh/authorized_keys
on the server with a forced command that restricts what the users can do
to specific rsync commands? That will still encrypt the connection, and
even though the authentication key will be well-known it should be safe
because the authentication key is independent of the encryption key.
My concern with SSH is making it function with an authentication space
different than the /etc/passwd space, and absolutely ensuring that there
is no way anyone accessing via SSH could execute any other command.
I'm quite confident rsync will work over stunnel. But I don't know if
there is any effort to standardize a different port number for rsync
over ssl.
No, there hasn't. Is 874 available?
In a separate project I'm developing a new POP3 server, and
will be looking at integrating SSL, probably with code from stunnel,
so the logic of the server operates with the direct knowledge of where
the connection comes from. One way that I might do this is for an SSL
connection, to launch an additional process to handle the SSL layer
just like stunnel, perhaps actually running that code. For rsync, this
might also be a way to do it. Integrating it a client could be even
more useful.
This has been talked about before but never done. See for instance
the thread starting at
http://lists.samba.org/pipermail/rsync/2000-October/003041.html
Nobody has mentioned trying rsync with with stunnel according to my saved
rsync-related email.
Somebody made an rsync SASL patch but I really don't know if or how that's
related to SSL. That posting is at
http://lists.samba.org/pipermail/rsync/1999-July/001250.html
- Dave Dykstra
