rsync - Feb 2009 - --password-file

The man page says:

        --password-file
               This  option  allows  you  to  provide  a password in a  
file for
               accessing an rsync daemon.  The file must not be world  
readable.
               It should contain just the password as a single line.


The trouble with this is that the file then shows up like this in an ls:

2 -rw-------  1 root  wheel  9 Jan 24  2007 /var/ 
rsync.passwd.server.mount
2 -rw-------  1 root  wheel 11 Jun 30  2007 /var/ 
rsync.passwd.serv2.moun2
2 -rw-------  1 root  wheel 10 Jul 14  2008 /var/ 
rsync.passwd.tuesday.mountie

This tells everyone the exact length of each password (8 characters,  
10, characters, and 9 characters, respectively).

Granted, it's not MUCH of a security issue, and I guess the password- 
files can be stored somewhere out of reach, but it seems to be that it  
would be better if the password-file supported a format something like  
this:

## Rsync Password File
#
# updated 20090117

server::mount	password
serv2::moun2	password

# This server is only used on tuesdays
tue::mountie	password

## EOF

First off, it would let you have multiple passwords in a single file  
and second of all, it would completely conceal the lengths of each  
password.  (or some other format, even htpasswd format)


-- 
The Salvation Army Band played and the children drunk
	lemonade and the morning lasted all day, all day.
	And through an open window came like Sinatra in a
	younger day pushing the town away

On Sun, Feb 15, 2009 at 05:08:36AM -0700, lewis butler
wrote:
> This tells everyone the exact length of each password
The docs should actually say that everything after the first line of
the file is ignored.  So, feel free to add any text you like after
that.  I'll improve the man page to get this right.
> First off, it would let you have multiple passwords in a single file
That would make some things easier, but I'd want any such change to be
backward compatible with current files.  One possibility it to leave
the command-line option alone and adding support for a new environment
variable, such as RSYNC_PASSWORDS_FROM.  That would let the new-style
file be specified in a shell rc file and used to configure multiple
servers/modules, as desired.  I'd at the very least include such a
change in the patches directory if someone wanted to code something
like that.

..wayne..