Hi All, We have clients which dynamic IPs which we have setup with <host>.dyndns.org addresses. We have added these to the rsync.conf 'hosts allow=" but they are being denied access.. Is there anyway around this? Matt
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At Wednesday 24 April 2002 08:19 Matthew Simpson wrote:> We have clients which dynamic IPs which we have setup with > <host>.dyndns.org addresses. We have added these to the rsync.conf > 'hosts allow=" but they are being denied access..I assume that this could be DNS-update (resp. -actuality) Problem. Are you sure, that at the moment rsync is called, the server's DNS-resolver delivers the correct IP? Greetings - -- Michael Zimmermann (Vegaa Safety and Security for Internet Services) <zim@vegaa.de> phone +49 89 6283 7632 hotline +49 163 823 1195 Key fingerprint = 1E47 7B99 A9D3 698D 7E35 9BB5 EF6B EEDB 696D 5811 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8xmku72vu22ltWBERAs8nAJ9e/d6YKhN2C6dS9gEUb3vTf0Qy+ACfScnQ oFtr/HHD33pKfl1pp6LtvDY=CP1w -----END PGP SIGNATURE-----
Try this patch (against rsync 2.5.5):
#-----
$ gdiff -u clientname.c.orig clientname.c
--- clientname.c.orig Fri Jan 25 17:59:37 2002
+++ clientname.c Mon Apr 1 13:32:10 2002
@@ -240,7 +240,7 @@
hints.ai_family = ss_family;
hints.ai_flags = AI_CANONNAME;
hints.ai_socktype = SOCK_STREAM;
- error = getaddrinfo(name_buf, port_buf, &hints, &res0);
+ error = getaddrinfo(name_buf, NULL, &hints, &res0);
if (error) {
rprintf(FERROR,
RSYNC_NAME ": forward name lookup for %s failed:
%s\n",
#-----
(or simply change "port_buf" to "NULL" in the getaddrinfo
call in the
check_name function in clientname.c)
This was a problem I found on AIX. It may apply to other OSes as well.
Of course, you still have to be able to resolve the <host>.dyndns.org
addresses on the machine running the rsync daemon. But as long as
you can ping them, you should be fine.
-----Original Message-----
From: Matthew Simpson [mailto:msimpson@market-research.com]
Sent: Wednesday, April 24, 2002 02:20 AM
To: rsync@lists.samba.org
Subject: Dynamic address problem
Hi All,
We have clients which dynamic IPs which we have setup with
<host>.dyndns.org addresses. We have added these to the rsync.conf
'hosts allow=" but they are being denied access.. Is there anyway
around this?
Matt
--
To unsubscribe or change options:
http://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.tuxedo.org/~esr/faqs/smart-questions.html
How about switching to password authentication? Makes you spoof-proof.
Anybody who can sniff your network to get the plaintext can probably spoof
your IP anyway, so you lose no security(probably gain a bit), and this
doesn't have to wait for dns registration to propogate.
Tim Conway
tim.conway@philips.com
303.682.4917
Philips Semiconductor - Longmont TC
1880 Industrial Circle, Suite D
Longmont, CO 80501
Available via SameTime Connect within Philips, n9hmg on AIM
perl -e 'print pack(nnnnnnnnnnnn,
19061,29556,8289,28271,29800,25970,8304,25970,27680,26721,25451,25970),
".\n" '
"There are some who call me.... Tim?"
Michael Zimmermann <zim@vegaa.de>
Sent by: rsync-admin@lists.samba.org
04/24/2002 02:13 AM
To: Matthew Simpson <msimpson@market-research.com>
rsync@lists.samba.org
cc: (bcc: Tim Conway/LMT/SC/PHILIPS)
Subject: Re: Dynamic address problem
Classification:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At Wednesday 24 April 2002 08:19 Matthew Simpson wrote:> We have clients which dynamic IPs which we have setup with
> <host>.dyndns.org addresses. We have added these to the rsync.conf
> 'hosts allow=" but they are being denied access..
I assume that this could be DNS-update (resp. -actuality) Problem.
Are you sure, that at the moment rsync is called, the server's
DNS-resolver delivers the correct IP?
Greetings
- --
Michael Zimmermann (Vegaa Safety and Security for Internet Services)
<zim@vegaa.de> phone +49 89 6283 7632 hotline +49 163 823 1195
Key fingerprint = 1E47 7B99 A9D3 698D 7E35 9BB5 EF6B EEDB 696D 5811
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8xmku72vu22ltWBERAs8nAJ9e/d6YKhN2C6dS9gEUb3vTf0Qy+ACfScnQ
oFtr/HHD33pKfl1pp6LtvDY=CP1w
-----END PGP SIGNATURE-----
--
To unsubscribe or change options:
http://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.tuxedo.org/~esr/faqs/smart-questions.html
Not every module as such, but every rsyncd user (these are independent of
unix UID) has a seperately defined password, and furthermore, each module
can specify its own list of authorized rsyncd users, as well as its own
secrets file, so you can effectively accomplish what you want. To make it
easier to keep track, i'd suggest one big secrets file, containing module
names and passwords, and for each module, make auth users = module name,
so you users will then use
modulename@server::modulename and either --password-file= or set
RSYNC_PASSWORD appropriately. Of course, it would probably be easier for
all concerned to use a single secrets file with entries for each user you
want to let in, then control each modules access by the auth users list.
Tim Conway
tim.conway@philips.com
303.682.4917
Philips Semiconductor - Longmont TC
1880 Industrial Circle, Suite D
Longmont, CO 80501
Available via SameTime Connect within Philips, n9hmg on AIM
perl -e 'print pack(nnnnnnnnnnnn,
19061,29556,8289,28271,29800,25970,8304,25970,27680,26721,25451,25970),
".\n" '
"There are some who call me.... Tim?"
Matthew Simpson <msimpson@market-research.com>
Sent by: rsync-admin@lists.samba.org
04/28/2002 05:05 AM
To: Tim Conway/LMT/SC/PHILIPS@AMEC
cc: rsync@lists.samba.org
Subject: Re: Dynamic address problem
Classification:
Hi Tim
Sounds good, What would the best way to do this be? Can each module
in the rsync.conf file have a different password? I noticed the
--password-file directive for the client side, but how do I set the
client side to ask for a password?
Matt
>How about switching to password authentication? Makes you spoof-proof.
>Anybody who can sniff your network to get the plaintext can probably
spoof>your IP anyway, so you lose no security(probably gain a bit), and this
>doesn't have to wait for dns registration to propogate.
>
>Tim Conway
>tim.conway@philips.com
>303.682.4917
>Philips Semiconductor - Longmont TC
>1880 Industrial Circle, Suite D
>Longmont, CO 80501
>Available via SameTime Connect within Philips, n9hmg on AIM
>perl -e 'print pack(nnnnnnnnnnnn,
>19061,29556,8289,28271,29800,25970,8304,25970,27680,26721,25451,25970),
>".\n" '
>"There are some who call me.... Tim?"
>
>
>
>
>Michael Zimmermann <zim@vegaa.de>
>Sent by: rsync-admin@lists.samba.org
>04/24/2002 02:13 AM
>
>
> To: Matthew Simpson <msimpson@market-research.com>
>rsync@lists.samba.org
> cc: (bcc: Tim Conway/LMT/SC/PHILIPS)
> Subject: Re: Dynamic address problem
> Classification:
>
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>At Wednesday 24 April 2002 08:19 Matthew Simpson wrote:
>> We have clients which dynamic IPs which we have setup with
>> <host>.dyndns.org addresses. We have added these to the
rsync.conf
>> 'hosts allow=" but they are being denied access..
>
>
>I assume that this could be DNS-update (resp. -actuality) Problem.
>Are you sure, that at the moment rsync is called, the server's
>DNS-resolver delivers the correct IP?
>
>
>Greetings
>- --
>Michael Zimmermann (Vegaa Safety and Security for Internet Services)
><zim@vegaa.de> phone +49 89 6283 7632 hotline +49 163 823 1195
>Key fingerprint = 1E47 7B99 A9D3 698D 7E35 9BB5 EF6B EEDB 696D 5811
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.6 (GNU/Linux)
>Comment: For info see http://www.gnupg.org
>
>iD8DBQE8xmku72vu22ltWBERAs8nAJ9e/d6YKhN2C6dS9gEUb3vTf0Qy+ACfScnQ
>oFtr/HHD33pKfl1pp6LtvDY>=CP1w
>-----END PGP SIGNATURE-----
>
>
>
>
>--
>To unsubscribe or change options:
>http://lists.samba.org/mailman/listinfo/rsync
>Before posting, read:
http://www.tuxedo.org/~esr/faqs/smart-questions.html
--
To unsubscribe or change options:
http://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.tuxedo.org/~esr/faqs/smart-questions.html
close on the rsyncd.conf: secrets file is module, not global, so you'll
need to name the secrets file for each user.
secrets file format is not user@domain:password. It knows nor cares who
it really is or where it comes from.
apps:appspassword
userforprojects:userforprojectspassword
See rsyncd.conf:5 contains a wealth of just such information. In my
application, I don't use authentication. In response to your question, I
read the man page and found the answers. It took remarkably little time.
Tim Conway
tim.conway@philips.com
303.682.4917
Philips Semiconductor - Longmont TC
1880 Industrial Circle, Suite D
Longmont, CO 80501
Available via SameTime Connect within Philips, n9hmg on AIM
perl -e 'print pack(nnnnnnnnnnnn,
19061,29556,8289,28271,29800,25970,8304,25970,27680,26721,25451,25970),
".\n" '
"There are some who call me.... Tim?"
Matthew Simpson <msimpson@market-research.com>
Sent by: rsync-admin@lists.samba.org
04/30/2002 09:26 PM
To: Tim Conway/LMT/SC/PHILIPS@AMEC
cc: rsync@lists.samba.org
Subject: Re: Dynamic address problem
Classification:
Hi Tim,
Just so I get this right....
In the /etc/rsyncd.conf on the server end I'll put:
##
uid = matt
gid = matt
#auth users = yes
secrets file = /etc/rsyncd.secrets
[apps]
auth users = apps
path=/home/apps
read only=false
[projects]
auth users = projects
path=/home/projects
read only=true
##
Format of /etc/rsyncd.secrets:
##
[apps]
triton@host.dyndns.org:abcd
[projects]
triton@host.dyndns.org:abcd
##
chmod 600 /etc/rsyncd.secrets
On the client side:
Under unix uid: simpson
##
rsync -options --password-file=~.rsyncpw apps@host.dyndns.org::apps
/home/apps
rsync -options --password-file=~.rsyncpw
projects@host.dyndns.org::projects /home/projects
##
or in ~simpson/.bash_profile: export RSYNC_PASSWORD=abcd
~.rsyncpw:
##
abcd
##
Will this work?
Thanks,
Matt
>Not every module as such, but every rsyncd user (these are independent of
>unix UID) has a seperately defined password, and furthermore, each module
>can specify its own list of authorized rsyncd users, as well as its own
>secrets file, so you can effectively accomplish what you want. To make
it>easier to keep track, i'd suggest one big secrets file, containing
module
>names and passwords, and for each module, make auth users = module name,
>so you users will then use
>modulename@server::modulename and either --password-file= or set
>RSYNC_PASSWORD appropriately. Of course, it would probably be easier for
>all concerned to use a single secrets file with entries for each user you
>want to let in, then control each modules access by the auth users list.
>
>Tim Conway
>tim.conway@philips.com
>303.682.4917
>Philips Semiconductor - Longmont TC
>1880 Industrial Circle, Suite D
>Longmont, CO 80501
>Available via SameTime Connect within Philips, n9hmg on AIM
>perl -e 'print pack(nnnnnnnnnnnn,
>19061,29556,8289,28271,29800,25970,8304,25970,27680,26721,25451,25970),
>".\n" '
>"There are some who call me.... Tim?"
>
>
>
>
>Matthew Simpson <msimpson@market-research.com>
>Sent by: rsync-admin@lists.samba.org
>04/28/2002 05:05 AM
>
>
> To: Tim Conway/LMT/SC/PHILIPS@AMEC
> cc: rsync@lists.samba.org
> Subject: Re: Dynamic address problem
> Classification:
>
>
>
>Hi Tim
>
>Sounds good, What would the best way to do this be? Can each module
>in the rsync.conf file have a different password? I noticed the
>--password-file directive for the client side, but how do I set the
>client side to ask for a password?
>
>Matt
>
>>How about switching to password authentication? Makes you spoof-proof.
>>Anybody who can sniff your network to get the plaintext can probably
>spoof
>>your IP anyway, so you lose no security(probably gain a bit), and this
>>doesn't have to wait for dns registration to propogate.
>>
>>Tim Conway
>>tim.conway@philips.com
>>303.682.4917
>>Philips Semiconductor - Longmont TC
>>1880 Industrial Circle, Suite D
>>Longmont, CO 80501
>>Available via SameTime Connect within Philips, n9hmg on AIM
>>perl -e 'print pack(nnnnnnnnnnnn,
>>19061,29556,8289,28271,29800,25970,8304,25970,27680,26721,25451,25970),
>>".\n" '
>>"There are some who call me.... Tim?"
>>
>>
>>
>>
>>Michael Zimmermann <zim@vegaa.de>
>>Sent by: rsync-admin@lists.samba.org
>>04/24/2002 02:13 AM
>>
>>
>> To: Matthew Simpson <msimpson@market-research.com>
>>rsync@lists.samba.org
>> cc: (bcc: Tim Conway/LMT/SC/PHILIPS)
>> Subject: Re: Dynamic address problem
>> Classification:
>>
>>
>>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>At Wednesday 24 April 2002 08:19 Matthew Simpson wrote:
>>> We have clients which dynamic IPs which we have setup with
>>> <host>.dyndns.org addresses. We have added these to the
rsync.conf
>>> 'hosts allow=" but they are being denied access..
>>
>>
>>I assume that this could be DNS-update (resp. -actuality) Problem.
>>Are you sure, that at the moment rsync is called, the server's
>>DNS-resolver delivers the correct IP?
>>
>>
>>Greetings
>>- --
>>Michael Zimmermann (Vegaa Safety and Security for Internet Services)
> ><zim@vegaa.de> phone +49 89 6283 7632 hotline +49 163 823
1195
>>Key fingerprint = 1E47 7B99 A9D3 698D 7E35 9BB5 EF6B EEDB 696D 5811
>>-----BEGIN PGP SIGNATURE-----
>>Version: GnuPG v1.0.6 (GNU/Linux)
>>Comment: For info see http://www.gnupg.org
>>
>>iD8DBQE8xmku72vu22ltWBERAs8nAJ9e/d6YKhN2C6dS9gEUb3vTf0Qy+ACfScnQ
>>oFtr/HHD33pKfl1pp6LtvDY>>=CP1w
>>-----END PGP SIGNATURE-----
>>
>>
>>
>>
>>--
>>To unsubscribe or change options:
>>http://lists.samba.org/mailman/listinfo/rsync
>>Before posting, read:
>http://www.tuxedo.org/~esr/faqs/smart-questions.html
>
>
>--
>To unsubscribe or change options:
>http://lists.samba.org/mailman/listinfo/rsync
>Before posting, read:
http://www.tuxedo.org/~esr/faqs/smart-questions.html>
>
>
>
>--
>To unsubscribe or change options:
>http://lists.samba.org/mailman/listinfo/rsync
>Before posting, read:
http://www.tuxedo.org/~esr/faqs/smart-questions.html
--
To unsubscribe or change options:
http://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.tuxedo.org/~esr/faqs/smart-questions.html