Discussion:
SSL/TLS support in RSYNC
Bruno (libvirt)
2008-05-19 09:26:44 UTC
Permalink
Hello all,

This is my first post on this mailing-list. I know this issue has been
talked about amny times, but I can't find any real answer anyway.
What are the plans to implement TLS directly into the mainstream rsync?
This would be a huge improvement, when using rsync with a daemon and
modules-based setup.

It's already easy to tunnel rsync into ssh, but this requires
1) ssh-user and shell access
2) to specify the full remote path
3) to forget about all the nifty features of rsyncd.conf (uid/gid,
ip-filtering, easy logging...)
If you know about any plan for the inegration of SSL/TLS... maybe the
CVS/SVN version has this already, please be kind and let me know.

Regards,

Bruno Medici
Matt McCutchen
2008-05-19 23:14:13 UTC
Permalink
Post by Bruno (libvirt)
What are the plans to implement TLS directly into the mainstream rsync?
This would be a huge improvement, when using rsync with a daemon and
modules-based setup.
It's already easy to tunnel rsync into ssh, but this requires
1) ssh-user and shell access
2) to specify the full remote path
3) to forget about all the nifty features of rsyncd.conf (uid/gid,
ip-filtering, easy logging...)
If you know about any plan for the inegration of SSL/TLS... maybe the
CVS/SVN version has this already, please be kind and let me know.
There is a patch that is supposed to add SSL support:
http://rsync.samba.org/ftp/rsync/patches/openssl-support.diff
and some discussion of improving it:
http://lists.samba.org/archive/rsync/2007-April/017578.html
but my impression is that the patch doesn't work and hasn't been fixed.

You could access the daemon through stunnel. Another option is to use a
single-use daemon invoked over ssh, with a forced command (rsync
--server --daemon .) that limits the ssh login to invoking the daemon;
see section "USING RSYNC-DAEMON FEATURES VIA A REMOTE-SHELL CONNECTION"
in the man page. That gives you modules and logging right away. If you
need a uid/gid different from the ssh user's, you could run a
traditional daemon that listens only on localhost and have the ssh login
force a connection to that daemon, or you could just use ssh port
forwarding.

Matt
Bruno (libvirt)
2008-05-21 21:50:05 UTC
Permalink
Post by Matt McCutchen
Post by Bruno (libvirt)
What are the plans to implement TLS directly into the mainstream rsync?
This would be a huge improvement, when using rsync with a daemon and
modules-based setup.
It's already easy to tunnel rsync into ssh, but this requires
1) ssh-user and shell access
2) to specify the full remote path
3) to forget about all the nifty features of rsyncd.conf (uid/gid,
ip-filtering, easy logging...)
If you know about any plan for the inegration of SSL/TLS... maybe the
CVS/SVN version has this already, please be kind and let me know.
http://rsync.samba.org/ftp/rsync/patches/openssl-support.diff
http://lists.samba.org/archive/rsync/2007-April/017578.html
but my impression is that the patch doesn't work and hasn't been fixed.
You could access the daemon through stunnel. Another option is to use a
single-use daemon invoked over ssh, with a forced command (rsync
--server --daemon .) that limits the ssh login to invoking the daemon;
see section "USING RSYNC-DAEMON FEATURES VIA A REMOTE-SHELL CONNECTION"
in the man page. That gives you modules and logging right away. If you
need a uid/gid different from the ssh user's, you could run a
traditional daemon that listens only on localhost and have the ssh login
force a connection to that daemon, or you could just use ssh port
forwarding.
Matt
Thank you Matt for your response. I'm going to try that ASAP, but I've
read, too, that it's less than reliable.

Bruno

Loading...