seem to have a way of proving that it is the real server (e.g. by using public key cryptography). So, if I wanted to authenticate the rsync server, then I would have to use rsync over ssh instead of running an rsync server over inetd, right? I should then put the ssh public key of the server on the website, available through https:// on my website. Someone who wants to setup a mirror can download the ssh public key via https://, install that in their ssh client, and then use ssh to connect to a shell account on my server to run rsync. What about security, though? I would essentially be giving a shell account to anyone who wants to use it. This shell account would have to be restricted: It is CHROOTed in the file area, it cannot write to any of the files, and it can't run any program other than rsync. I'd guess I'd have to set this account to some special restricted shell that does this. Am I right about all of the above? If yes, does anyone know where I might start looking for such a special restricted shell program? If no, where did I go wrong (is there a simpler way to provide a relatively simple thing such as authentication of the rsync server)?