What's In A Name? - Administration

Thus far, all the examples you've seen have involved so-called anonymous access to the rsync server - any user could connect to the host server and transfer files between the two systems. Needless to say, this is both insecure and dangerous - it's quite possible, for example, for someone to mistakenly sync up an empty directory with the "--delete" option, thereby destroying files on the destination machine.

In order to add a greater level of security, therefore, rsync comes with a simple authentication scheme, which requires users to log in to the rsync server with a password before performing any file transfer operation. This authentication can be activated on a per-module basis, and involves adding the "auth users" and "secrets file" variables to each module in the configuration file.

The "auth users" variable tells rsync which users are authorized to access the corresponding module on the server, while the "secrets file" variable tells rsync which file to use for password authentication. Here's an example:

[home]
path = /home/me
auth users = john, joe, sherry
secrets file = /home/me/rsync-users

In this case, only the users "john", "joe" and "sherry" are permitted access to the module "home", and their passwords can be verified against the data in the file "rsync-users". It's important to ensure that this file is not world-readable.

This secrets file is a simple text file containing a list of comma-separated usernames and passwords, each set on a new line. Here's an example:

[me@olympus] $ cat rsync-users
john:johnjoe:joesherry:g5473m

Note that these users need not necessarily be "real" users on the system.

Let's now update our configuration file to include some authentication for the "home" module, and restart the rsync daemon on "olympus":

[home]
 path = /home/me comment = My Home Area list = yes read only = no auth users = john, joesecrets file = /tmp/rsync-users

This time, when I attempt to connect to the rsync server from "xanadu", look what happens:

[me@xanadu] $ rsync --progress --recursive joe@olympus::home/ .
Password: ***

It's only after entering the correct password for user "joe" that I'm allowed access to the module. Note the manner in which the username is specified, by prefixing it to the host name on the command line.

Finally, you can use SSH for your rsync transfers by specifying the path to the "ssh" binary in your rsync command line:

[me@xanadu] $ rsync -rsh=/usr/bin/ssh --progress  --recursive
olympus:home/ . 

In this case, rsync will use SSH to perform the transaction. Note the single colon in the destination host name - this tells rsync to use the SSH shell instead of connecting to the rsync server directly.

You can also use the "hosts allow" and "hosts deny" options to restrict access to the server by host - take a look at the documentation for details.

>>> More Site Administration Articles          >>> More By icarus, (c) Melonfire

blog comments powered by Disqus