Hello all, This is my first post on this mailing-list. I know this issue has been talked about amny times, but I can't find any real answer anyway. What are the plans to implement TLS directly into the mainstream rsync? This would be a huge improvement, when using rsync with a daemon and modules-based setup. It's already easy to tunnel rsync into ssh, but this requires 1) ssh-user and shell access 2) to specify the full remote path 3) to forget about all the nifty features of rsyncd.conf (uid/gid, ip-filtering, easy logging...) If you know about any plan for the inegration of SSL/TLS... maybe the CVS/SVN version has this already, please be kind and let me know. Regards, Bruno Medici
On Mon, 2008-05-19 at 11:26 +0200, Bruno (libvirt) wrote:> What are the plans to implement TLS directly into the mainstream rsync? > This would be a huge improvement, when using rsync with a daemon and > modules-based setup. > > It's already easy to tunnel rsync into ssh, but this requires > 1) ssh-user and shell access > 2) to specify the full remote path > 3) to forget about all the nifty features of rsyncd.conf (uid/gid, > ip-filtering, easy logging...) > If you know about any plan for the inegration of SSL/TLS... maybe the > CVS/SVN version has this already, please be kind and let me know.There is a patch that is supposed to add SSL support: rsync.samba.org/ftp/rsync/patches/openssl-support.diff and some discussion of improving it: lists.samba.org/archive/rsync/2007-April/017578.html but my impression is that the patch doesn't work and hasn't been fixed. You could access the daemon through stunnel. Another option is to use a single-use daemon invoked over ssh, with a forced command (rsync --server --daemon .) that limits the ssh login to invoking the daemon; see section "USING RSYNC-DAEMON FEATURES VIA A REMOTE-SHELL CONNECTION" in the man page. That gives you modules and logging right away. If you need a uid/gid different from the ssh user's, you could run a traditional daemon that listens only on localhost and have the ssh login force a connection to that daemon, or you could just use ssh port forwarding. Matt -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : lists.samba.org/archive/rsync/attachments/20080519/94aa882b/attachment.bin