Roman Fiedler
2008-Dec-12 12:08 UTC
Rsync via two ssh tunnels possible (standard method mentioned k times not possible?)
Hi list,
After reading rsync docu and doing online search, I still failed to find
a simple solution for following problem:
The goal is to sync two directories using rsync without running the
rsync daemon on one of the two hosts. The standard shell sync does not
work because of the network topology:
Ssh connect to SRC-Host
^
Base host (with ssh keys)
v
Ssh connect to bridge with tunnel for next ssh
v
Ssh connect to DST host via bridge.
No direct connection SRC/DST is possible, the ssh keys only reside on
base host and cannot be copied to any other host.
My idea was to create ssh tunnels (plain port forward) from DST:4444 to
base:5555, base:5555 to SRC:6666 (result tunnel DST:4444->SRC:6666) and
run on SRC:
nc -lp 6666 -e rsync --server -a . .
and something like that at DST
rsync -a rsync://localhost:4444/ .
but that fails on src side with:
protocol version mismatch -- is your shell clean?
(see the rsync man page for an explanation)
rsync error: protocol incompatibility (code 2) at compat.c(61)
[receiver=2.6.9]
Is there a posibility to make this work (mis-)using some command line
parameters, e.g. -e or --sender?
thanks, roman
Matt McCutchen
2008-Dec-13 05:10 UTC
Rsync via two ssh tunnels possible (standard method mentioned k times not possible?)
On Fri, 2008-12-12 at 12:56 +0100, Roman Fiedler wrote:> The goal is to sync two directories using rsync without running the > rsync daemon on one of the two hosts. The standard shell sync does not > work because of the network topology: > > > Ssh connect to SRC-Host > ^ > Base host (with ssh keys) > v > Ssh connect to bridge with tunnel for next ssh > v > Ssh connect to DST host via bridge. > > > No direct connection SRC/DST is possible, the ssh keys only reside on > base host and cannot be copied to any other host. > > My idea was to create ssh tunnels (plain port forward) from DST:4444 to > base:5555, base:5555 to SRC:6666 (result tunnel DST:4444->SRC:6666) and > run on SRC: > > nc -lp 6666 -e rsync --server -a . . > > and something like that at DST > > rsync -a rsync://localhost:4444/ . > > but that fails on src side with: > > protocol version mismatch -- is your shell clean? > (see the rsync man page for an explanation) > rsync error: protocol incompatibility (code 2) at compat.c(61) > [receiver=2.6.9]That's a good idea. The only problem is that the receiver is expecting to speak the daemon protocol since you used an rsync:// URL, but the sender is playing the role of a bare server. I suggest you just replace your "nc" command with an rsync daemon listening on port 6666 on the SRC machine. This isn't any less secure than what you're trying now. If you really don't want an rsync daemon anywhere in the picture (though I'm not clear on why), you could use a single-colon source argument with "-e 'nc localhost 4444 #'" to have the client connect to the forwarded port and expect a bare server. But then it's your responsibility to make sure the server arguments on SRC are correct; rsync may crash if they aren't. -- Matt
Hendrik Visage
2008-Dec-18 08:22 UTC
Rsync via two ssh tunnels possible (standard method mentioned k times not possible?)
On Fri, Dec 12, 2008 at 12:56 PM, Roman Fiedler <roman.fiedler@telbiomed.at>wrote:> Hi list, > > After reading rsync docu and doing online search, I still failed to find a > simple solution for following problem: > > The goal is to sync two directories using rsync without running the rsync > daemon on one of the two hosts. The standard shell sync does not work > because of the network topology: > > > Ssh connect to SRC-Host > ^ > Base host (with ssh keys) > v > Ssh connect to bridge with tunnel for next ssh > v > Ssh connect to DST host via bridge.On DST, do a rsync --daemon, and let it only listen to local host for connections etc. in the rsyncd.conf setup the tunnel(s) to DST:873 (The rsync port??) from base on like port 4444. Then ssh to SRC, with port forwarding from SRC:5555 to base:4444 executing "rsync sourcedir rsync://localhost:5555/destinationdir" Anything else, you'll have to vi rsync.c and add it yourself ;^)> No direct connection SRC/DST is possible, the ssh keys only reside on base > host and cannot be copied to any other host. > > My idea was to create ssh tunnels (plain port forward) from DST:4444 to > base:5555, base:5555 to SRC:6666 (result tunnel DST:4444->SRC:6666) and run > on SRC: > > nc -lp 6666 -e rsync --server -a . . > > and something like that at DST > > rsync -a rsync://localhost:4444/ . > > but that fails on src side with: > > protocol version mismatch -- is your shell clean? > (see the rsync man page for an explanation) > rsync error: protocol incompatibility (code 2) at compat.c(61) > [receiver=2.6.9] > > Is there a posibility to make this work (mis-)using some command line > parameters, e.g. -e or --sender? > > thanks, roman > -- > Please use reply-all for most replies to avoid omitting the mailing list. > To unsubscribe or change options: > https://lists.samba.org/mailman/listinfo/rsync > Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html<http://www.catb.org/%7Eesr/faqs/smart-questions.html> >-- Hendrik Visage -------------- next part -------------- HTML attachment scrubbed and removed
Justin Pryzby
2008-Dec-23 03:13 UTC
Rsync via two ssh tunnels possible (standard method mentioned k times not possible?)
On Fri, Dec 12, 2008 at 12:56:24PM +0100, Roman Fiedler wrote:> Hi list, > > After reading rsync docu and doing online search, I still failed to find > a simple solution for following problem: > > The goal is to sync two directories using rsync without running the > rsync daemon on one of the two hosts. The standard shell sync does not > work because of the network topology:Is it sufficient to use: ssh -oProxyCommand ssh $directhost nc -q1 %h %p where $directhost is the host to which the invoking rsync can connect directly? Justin
Roman Fiedler
2008-Dec-23 09:05 UTC
Rsync via two ssh tunnels possible (standard method mentioned k times not possible?)
I finally got it working. The strange error message were the result of server/client thread running with incompatible command line args, as Matt had already predicted. I also saved me the pain to figure the correct args out by using the rsync daemon process. The configuration was much simpler than expected: rsyncd.conf: port = 6666 [src] path = /data/src uid = 0 gid = 0 read only = true /usr/bin/rsync --daemon --no-detach --config=rsyncd.conf I known that running the daemon as root is not a good idea, but for a one-time sync it should be OK. Otherwise I would have to make the source data directories world readable or sync with various different users. rsync --verbose --fuzzy -a rsync://localhost:4444/src . (Keep in mind: localhost:4444 is fwd to localhost:6666 on other machine) Justin Pryzby wrote:> Is it sufficient to use: > > ssh -oProxyCommand ssh $directhost nc -q1 %h %p > > where $directhost is the host to which the invoking rsync can connect > directly?If I would install an ssh server on the bridge host in the middle (directhost) and put private keys on the side where rsync is invoked, this would work. Otherwise I also could forward the ssh server port from the src machine to dest, but that would need copying of key material also, which I want to avoid. Thanks for all of your input, Roman