Re: Modified rsync over SSL patch
2010/2/14 Uri Simchoni uri_simch...@hotmail.com So I rewrote the main data pump loop of the patch to use non-blocking IO, and am attaching the new patch. Thanks! I've done a little cleanup and committed the improved patch. Sorry for being super slow to get that done. ..wayne.. -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Modified rsync over SSL patch
Hi, I've been working with Casey Marshall's SSL patch, and couldn't get it to work reliably - the transfer would abort pretty quickly. So I rewrote the main data pump loop of the patch to use non-blocking IO, and am attaching the new patch. An rsync program using this patch is interoperable with the old patch. Along with the modified message pump I added the following improvements: - Buffering data to produce large SSL records (16K) to increase the encryption/decryption efficiency. - Control of the SSL cipher list on the client via the RSYNC_SSL_CIPHERS environment variable - Graceful termination in order to better pass last error messages from the server to the client To use the patch (against 3.0.7): patch -p1 rsync-openssl.diff ./prepare-source ./configure make Enjoy, Uri. _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 rsync-openssl.diff Description: Binary data -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: rsync over ssl
Hi, Look into this http://www.netbits.us/docs/stunnel_rsync.html will help you more. thanks, bharthix Daniel Teklu wrote: How do I set up rsync over ssl between two unix servers? Thanks in advance. -Daniel -- S.Bharathi Raja, AU-KBC Research Centre, M.I.T. Campus of Anna University, Chromepet, Chennai 600 044. INDIA Phone: 91 44 22234885, 22232711 Ext:34 Fax: 22231034 Mail: [EMAIL PROTECTED] [EMAIL PROTECTED] Web : www.bharthix.tk -- To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
rsync over ssl
How do I set up rsync over ssl between two unix servers? Thanks in advance. -Daniel -- To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
rsync and SSL: gettig the patch working
Hi all, I have applied the patch at http://metastatic.org/source/rsync-ssl.patch to the rsync v2.6.2 tree, and have it installed between two hosts. Unfortunately the patch contains no docs, so I have no idea whether I've configured it correctly. Any attempt at making an rsync transfer bombs out with the error: [EMAIL PROTECTED] fma]$ rsync -a --ssl-ca-certs=/usr/share/ssl/certs/caCert.pem rsync://[EMAIL PROTECTED]/home/gatekeeper/fma/ samba-test/ SSL: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure rsync: writefd_unbuffered failed to write 5 bytes: phase unknown: Broken pipe rsync error: error in rsync protocol data stream (code 12) at io.c(836) The server side was run from xinetd like this: server_args = --daemon --ssl --ssl-cert=/pathto/patricia-hostCert.pem --ssl-key=/pathto/patricia-hostKey.pem The server's cert is signed by the CA cert referenced on the client. Does anyone got this patch to work? How should I have set this up? Regards, Graham -- -- To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
rsync over ssl (again)
A while back, I asked if there had been any consideration in making rsync support direct ssl (as opposed to just ssh). I've been looking around for a secure way (e.g. encrypted, so passwords are never in the clear, and even content is obscured from sniffers) to allow a set of limited-trust users (limited-trust being defined as mostly customers, whom you trust with their own data, but not with shell accounts and such) to access data using rsync (or I guess we might call it srsync). Fortunately things like pop3 and imap4 have secure equivalents. But I also have a need to give users the ability to upload and download their own data securely, and the only good tool to do that without granting them something that might open a shell for them is https. But for large transfers, that just does not work very well, and I think rsync would be a much better answer if the security issue can be worked out. The server side can be readily done through something like stunnel. But on the client side, stunnel would be cumbersome considering the user base involved. If this can be done, I'd also like to see if there is some way to overload the usage of port 873 for both insecure and secure usage. I don't know how the protocol works, but if it does enough of the right startup negotiation, it might be possible to safely decide if the session needs to be done securely, then switch to secure mode and restart the session negotiation (including server identity certification validation). Any thoughts on this? -- - | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | [EMAIL PROTECTED] | Texas, USA | http://ka9wgn.ham.org/| - -- To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.tuxedo.org/~esr/faqs/smart-questions.html
Re: rsync and SSL
On Thu, Sep 20, 2001 at 01:00:46AM +, M. Drew Streib wrote: On Thu, Sep 20, 2001 at 10:47:15AM +1000, Cameron Simpson wrote: That way we could do SMTP over SSL etc etc transparently: clients connect, say SSL, if rejected either fall back or fall out, and if accepted then away we all go. Is there some technical reason for not doing things this way? Other than an extra couple tcp transmissions, not too many. It does probably break about all existing protocols though, at least as written, since the SSL handshake would fall outside of the bounds of the protocol. Implementing this on SMTP, for instance, would require more than SMTP, but would be SMTP+SSLoption, which _may_ be fully backwards compatible, but certainly not compliant, as it implements non-standard behavior. Even if the initial request were inside of the bounds of the protocol, as in Renegotiate: SSL as an http header, the followup handshake and subsequent transmission certainly wouldn't be standard. Bzzzttt... Wrong answer. Sorry... This already exists for SMTP and others and is typically referred to as START TLS/STARTTLS (TLS is the ietf term for SSL v3) or escape to TLS or something similar. It's standardized. RFC 2487 [SMTP Service Extension for Secure SMTP over TLS] in the case of SMTP. There are patches for QMail and Postfix on the net and the lastest sources of sendmail (8.11.x and 8.12.x) include it although it's not built by default. This may not bother you from a technical perspective, but might upset people that are purists at the wire protocol level. It is something that certainly could be debated, either for an individual protocol, or across the spectrum. Nothing to stop rsync from implementing something like this, since it is sort of in charge of its own protocol development... Look up the standard for escape to TLS and find your answer there. RFC 2487 covers SMTP STARTTLS. There are references to a telnet STARTTLS option in RFC 2400 and RFC 2595 [Using TLS with IMAP, POP3 and ACAP] covers several other protocols. I'd be interested in seeing an IETF proposal for something like this, just for public debate. AFAIK... This is already a done deal. Seems to be pretty well hashed over in the ietf. -drew -- M. Drew Streib [EMAIL PROTECTED] | http://dtype.org/ FSG [EMAIL PROTECTED]| Linux International [EMAIL PROTECTED] freedb [EMAIL PROTECTED]| SourceForge [EMAIL PROTECTED] Mike -- Michael H. Warfield| (770) 985-6132 | [EMAIL PROTECTED] (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471| possible worlds. A pessimist is sure of it!
Re: rsync and SSL
On Mon, Sep 17, 2001 at 12:10:45PM -0500, Dave Dykstra [EMAIL PROTECTED] wrote: | On Fri, Sep 14, 2001 at 10:29:37PM -0500, Phil Howard wrote: | My concern with SSH is making it function with an authentication space | different than the /etc/passwd space, and absolutely ensuring that there | is no way anyone accessing via SSH could execute any other command. I'm curious. What's insufficient about the command= authorized_hosts parameter? | I'm quite confident rsync will work over stunnel. But I don't know if | there is any effort to standardize a different port number for rsync | over ssl. | | No, there hasn't. Is 874 available? This trend bothers me. Why are we issuing new port numbers for whatever-proto-over-SSL instead of just augumenting the protocol to have an SSL command, which starts an SSL connection over the channel and then runs the core protocol (rsync, pop, whatever) afresh on the new session? That way we could do SMTP over SSL etc etc transparently: clients connect, say SSL, if rejected either fall back or fall out, and if accepted then away we all go. Is there some technical reason for not doing things this way? -- Cameron Simpson, DoD#743[EMAIL PROTECTED]http://www.zip.com.au/~cs/ One of the biggest obstacles to the future of computing is C. C is the last attempt of the high priesthood to control the computing business. It's like the scribes and the Pharisees who did not want the masses to learn to read and write. - Jerry Pournelle
Re: rsync and SSL
On Thu, Sep 20, 2001 at 10:47:15AM +1000, Cameron Simpson wrote: That way we could do SMTP over SSL etc etc transparently: clients connect, say SSL, if rejected either fall back or fall out, and if accepted then away we all go. Is there some technical reason for not doing things this way? Other than an extra couple tcp transmissions, not too many. It does probably break about all existing protocols though, at least as written, since the SSL handshake would fall outside of the bounds of the protocol. Implementing this on SMTP, for instance, would require more than SMTP, but would be SMTP+SSLoption, which _may_ be fully backwards compatible, but certainly not compliant, as it implements non-standard behavior. Even if the initial request were inside of the bounds of the protocol, as in Renegotiate: SSL as an http header, the followup handshake and subsequent transmission certainly wouldn't be standard. This may not bother you from a technical perspective, but might upset people that are purists at the wire protocol level. It is something that certainly could be debated, either for an individual protocol, or across the spectrum. Nothing to stop rsync from implementing something like this, since it is sort of in charge of its own protocol development... I'd be interested in seeing an IETF proposal for something like this, just for public debate. -drew -- M. Drew Streib [EMAIL PROTECTED] | http://dtype.org/ FSG [EMAIL PROTECTED]| Linux International [EMAIL PROTECTED] freedb [EMAIL PROTECTED]| SourceForge [EMAIL PROTECTED] PGP signature
Re: rsync and SSL
On Fri, Sep 14, 2001 at 10:29:37PM -0500, Phil Howard wrote: Dave Dykstra wrote: If stunnel doesn't work, how about this idea: what if you hand out an unencrypted SSH private key to all users, and put in a .ssh/authorized_keys on the server with a forced command that restricts what the users can do to specific rsync commands? That will still encrypt the connection, and even though the authentication key will be well-known it should be safe because the authentication key is independent of the encryption key. My concern with SSH is making it function with an authentication space different than the /etc/passwd space, and absolutely ensuring that there is no way anyone accessing via SSH could execute any other command. I'm quite confident rsync will work over stunnel. But I don't know if there is any effort to standardize a different port number for rsync over ssl. No, there hasn't. Is 874 available? In a separate project I'm developing a new POP3 server, and will be looking at integrating SSL, probably with code from stunnel, so the logic of the server operates with the direct knowledge of where the connection comes from. One way that I might do this is for an SSL connection, to launch an additional process to handle the SSL layer just like stunnel, perhaps actually running that code. For rsync, this might also be a way to do it. Integrating it a client could be even more useful. This has been talked about before but never done. See for instance the thread starting at http://lists.samba.org/pipermail/rsync/2000-October/003041.html Nobody has mentioned trying rsync with with stunnel according to my saved rsync-related email. Somebody made an rsync SASL patch but I really don't know if or how that's related to SSL. That posting is at http://lists.samba.org/pipermail/rsync/1999-July/001250.html - Dave Dykstra
Re: rsync and SSL
On Thu, Sep 13, 2001 at 07:41:19PM -0500, Phil Howard wrote: I'm finding even less on rsync and SSL. I would have imagined someone would have done something with this already, but apparently not. So I guess I need to ask and see for sure: has anyone worked on issues of using rsync via SSL, such as with stunnel? I'm sorry, I didn't read this message before my reply. I see you've already covered everything in my reply, so you can ignore it. I want to have encrypted access, either anonymous or authenticated, but without granting any SSH access to anyone (e.g. the rsync users won't be in the /etc/passwd user space). If stunnel doesn't work, how about this idea: what if you hand out an unencrypted SSH private key to all users, and put in a .ssh/authorized_keys on the server with a forced command that restricts what the users can do to specific rsync commands? That will still encrypt the connection, and even though the authentication key will be well-known it should be safe because the authentication key is independent of the encryption key. - Dave Dykstra
rsync and SSL
I'm finding even less on rsync and SSL. I would have imagined someone would have done something with this already, but apparently not. So I guess I need to ask and see for sure: has anyone worked on issues of using rsync via SSL, such as with stunnel? I want to have encrypted access, either anonymous or authenticated, but without granting any SSH access to anyone (e.g. the rsync users won't be in the /etc/passwd user space). -- - | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | [EMAIL PROTECTED] | Texas, USA | http://phil.ipal.org/ | -
