[KLUG Members] help with rsync
Peter Buxton
members@kalamazoolinux.org
Mon, 9 Dec 2002 17:26:18 -0500
On Mon, Dec 09, 2002 at 04:56:31PM -0500, Bruce Smith wrote:
> Unless it's changed in recent versions, rsync uses the "r" protocol, and
> you have to enable the "r" commands and allow them access from root.
> (rcp, rsh, ...)
>
> VERY INSECURE. Not something to enable on an insecure network!
Fortunately, they thought of this:
rsync -e ssh
will use ssh, not rsh, as the remote shell transport. Assuming you set
your server to use rsh *only* for anonymous/public rsync, this should be
fairly secure.
http://everythinglinux.org/rsync/
man rsyncd.conf:
The rsync daemon is launched by specifying the --daemon option to rsync.
The daemon must run with root privileges if you wish to use chroot, to
bind to a port numbered under 1024 (as is the default 873), or to set
file ownership. Otherwise, it must just have permission to read and
write the appropriate data, log, and lock files.
You can launch it either via inetd or as a stand-alone daemon. If run as
a daemon then just run the command "rsync --daemon" from a suitable
startup script.
When run via inetd you should add a line like this to /etc/services:
rsync 873/tcp
and a single line something like this to /etc/inetd.conf:
rsync stream tcp nowait root /usr/bin/rsync rsyncd --daemon
[I think you just change the last line to "rsyncd -e ssh --daemon".
-Ed.]
AUTHENTICATION STRENGTH
The authentication protocol used in rsync is a 128 bit MD4 based
challenge response system. Although I believe that no one has ever
demonstrated a brute-force break of this sort of system you should
realize that this is not a "military strength" authentication system.
It should be good enough for most purposes but if you want really top
quality security then I recommend that you run rsync over ssh.
Also note that the rsync server protocol does not currently provide any
encryption of the data that is transferred over the link. Only
authentication is provided. Use ssh as the transport if you want
encryption.
Future versions of rsync may support SSL for better authentication and
encryption, but that is still being investigated.
--
for gpg key: http://killdevil.org/~peter
but to live outside the law you
must be honest.... -- bob dylan