From owner-freebsd-isp Wed Jun 6 17:35:15 2001 Delivered-To: freebsd-isp@freebsd.org Received: from femail4.sdc1.sfba.home.com (femail4.sdc1.sfba.home.com [24.0.95.84]) by hub.freebsd.org (Postfix) with ESMTP id C399037B401 for ; Wed, 6 Jun 2001 17:35:12 -0700 (PDT) (envelope-from jim@siteplus.net) Received: from veager.siteplus.net ([65.14.122.116]) by femail4.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20010607003507.OTPU29059.femail4.sdc1.sfba.home.com@veager.siteplus.net>; Wed, 6 Jun 2001 17:35:07 -0700 Date: Wed, 6 Jun 2001 20:35:02 -0400 (EDT) From: Jim Weeks To: Alexander Leidinger Cc: erichz@superhero.org, freebsd-isp@FreeBSD.ORG Subject: Re: rsync for mirroring In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Another thought on this subject. I suggest starting rsyncd from inetd. If I was super paranoid, I would run a cron induced shell script on the server machine that would only enable rsyncd and -HUP inetd for the short period of time the client machine needs to make the connection. It would also be a simple matter to automate setting these connection times at random since you are already sync-ing the client machine with the server. The new random connection time information could be sent along with the transfer. -- Jim Weeks On Wed, 6 Jun 2001, Jim Weeks wrote: > > On Wed, 6 Jun 2001, Alexander Leidinger wrote: > > > > I haven't read the article, but if I read the above paragraph: No! Don't > > rely on security by obscurity! > > > > If you run ssh as root: just do ssh port forwarding and only allow > > connections to the rsync daemon from localhost. Now just connect the > > rsync client to the ssh tunnel. > > But: do this only if you trust the users on the system where the rsync > > daemon runs. > > Alexander, > > I may have been misunderstood. I am not proposing running ssh as root. I > am referring to running rsyncd as uid-root and gid-wheel in order to copy > such files as master.passwd. As I understand it, the rsyncd daemon runs > as read only in the default configuration. Also, you may use any > nondescript rsync-username and password combination to initiate the > transfer of files. In this instance, ssh is only used as the transport > agent. Login security is handled by rsyncd, and with the aid of ssh is > encrypted. > > I do agree, obscurity is of very little use if you allow shell access to > untrusted users. On the other hand, setting (list=false) in rsynd.conf > will effectively prevent anyone from simply requesting a list of modules. > > As always, this is my opinion. Any one choosing to build on or adapt > this information to their own use should do so with their own specific > security issues in mind. > > -- > Jim Weeks > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message