(accidentally sent directly to Larry the first time - cross-posted to
list after-the-fact in case someone else finds it useful)
> I hope to manage rsync access the same way. Clients would be
> forced to come in via SSH (because no other ports are open), and
> once in, the configuration of rsync will determine what they can
> do, precisely. This is just a hope at the moment because when I
> try to limit per-user access via rsyncd.conf, it still demands a
> password even though the user in question has already been
> authenticated to permit their SSH entry.
Ah, I see. Given that you can simply and easily specify the password on
the command line, wouldn't it be easiest simply to use a shell script
that automatically passes the appropriate password with the rsync
command as an rsync replacement? From the user perspective, all would
be transparent - they wouldn't even need to change the way they use
rsync; your script would simply pass a
"--password-file=/path/to/password/file" argument to the real rsync,
along with whatever arguments the user needed.
You could even set up the precise same password for all user accounts,
so that the same replacement script (and same password file) was valid
for all accounts - just blindly adding the "--password-file=" argument
to all rsync calls. If you wanted to get fancy and were worried about
impact on accessing OTHER rsync servers, of course you could make your
shell script a little more sophisticated and make it check for the
presence of one of your own servers in the arguments passed by the user
before appending its --password-file argument to the list.
Jim Salter
