From owner-freebsd-isp  Wed Jun  6 17:12:27 2001
Delivered-To: freebsd-isp@freebsd.org
Received: from femail4.sdc1.sfba.home.com (femail4.sdc1.sfba.home.com [24.0.95.84])
	by hub.freebsd.org (Postfix) with ESMTP id 5230437B407
	for <freebsd-isp@FreeBSD.ORG>; Wed,  6 Jun 2001 17:12:23 -0700 (PDT)
	(envelope-from jim@siteplus.net)
Received: from veager.siteplus.net ([65.14.122.116])
          by femail4.sdc1.sfba.home.com
          (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP
          id <20010607001217.NXUH29059.femail4.sdc1.sfba.home.com@veager.siteplus.net>;
          Wed, 6 Jun 2001 17:12:17 -0700
Date: Wed, 6 Jun 2001 20:12:12 -0400 (EDT)
From: Jim Weeks <jim@siteplus.net>
To: Alexander Leidinger <Alexander@leidinger.net>
Cc: erichz@superhero.org, freebsd-isp@FreeBSD.ORG
Subject: Re: rsync for mirroring
In-Reply-To: <200106061435.f56EZw018621@Magelan.Leidinger.net>
Message-ID: <Pine.BSF.4.21.0106061948150.1844-100000@veager.siteplus.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-isp.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-isp>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-isp>
X-Loop: FreeBSD.org


On Wed, 6 Jun 2001, Alexander Leidinger wrote:
> 
> I haven't read the article, but if I read the above paragraph: No! Don't
> rely on security by obscurity!
> 
> If you run ssh as root: just do ssh port forwarding and only allow
> connections to the rsync daemon from localhost. Now just connect the
> rsync client to the ssh tunnel.
> But: do this only if you trust the users on the system where the rsync
> daemon runs.

Alexander,

I may have been misunderstood.  I am not proposing running ssh as root.  I
am referring to running rsyncd as uid-root and gid-wheel in order to copy
such files as master.passwd.  As I understand it, the rsyncd daemon runs
as read only in the default configuration.  Also, you may use any
nondescript  rsync-username and password combination to initiate the
transfer of files.  In this instance, ssh is only used as the transport
agent.  Login security is handled by rsyncd, and with the aid of ssh is
encrypted.

I do agree, obscurity is of very little use if you allow shell access to
untrusted users.  On the other hand, setting (list=false) in rsynd.conf
will effectively prevent anyone from simply requesting a list of modules.

As always, this is my opinion.  Any one choosing to build on or adapt
this information to their own use should do so with their own specific
security issues in mind.

--
Jim Weeks



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message