On 7/19/07, Alan Cheers <cheersa@brunswickcc.edu>
wrote:> I think I understand a bit better now. To use SSH you don't get to use
the daemon (unless you specify the remote shell/which may cause loss of
features).
Well, you have the choice of (1) a single-use daemon invoked over ssh
or (2) a connection proxied or forwarded by ssh to a background
daemon. In general, if you merely want to use an rsync feature that
is available only when using a daemon, you would invoke a single-use
daemon (#1) in your own remote account. On the other hand, if you
want a daemon that authenticates untrusted users and then offers them
carefully controlled access, you would usually set up a background
daemon (#2) and then add the ssh if you need the encryption or
firewall-bypassing.
To do #1, all you have to do is move the configuration file on the
daemon side if necessary (the daemon looks for it by default in the
remote home directory instead of /etc) and pass "-e ssh" on the
client.
To do #2...
> I am still interested in encrypting the traffic AND using a daemon. The
manual says something to the effect of using SSH to tunnel a local port to a
remote machine and configure a normal rsync daemon to accept localhost traffic.
Can you explain the tunneling a port part?
This would be the fourth method on
http://rsync.samba.org/firewall.html . On the client, you tell ssh to
forward connections to a local port of your choice to the remote port
on which the daemon is listening. That means that, every time
something on your computer connects to the local port, the local ssh
signals the remote ssh to open a corresponding connection to the
daemon's port. The two ssh processes then pass the data back and
forth over the encrypted connection so that, for all the rsync client
can tell, it is talking directly to the daemon.
This setup guarantees that no one can snoop on your own exchange with
the daemon but does nothing to stop others from connecting to it
themselves and accessing the modules. You can block this in either or
both of two places: (1) stop others from connecting to the daemon, or
(2) set up authentication on the daemon so they can't access modules
once they connect.
To do #2, create a secrets file and set "auth users"; see the
rsyncd.conf man page.
For #1, you're already safe if a firewall blocks connections to the
daemon port from outside a private network whose users you all trust.
If not, you can tell the daemon to accept connections only from the
remote machine itself by setting "address = localhost"; then
you're in
danger only from users who can log into the remote machine via ssh or
similar means and make such connections.
Notwithstanding that paragraph, if you forward a local port to the
daemon's port, you're additionally in danger of others on the local
machine piggybacking on that forward. Using a ProxyCommand in place
of a port forward (see method 2 on
http://rsync.samba.org/firewall.html ) doesn't have the piggybacking
problem and also tends to be more convenient.
Matt