You are not logged in.

#1 2012-09-30 13:16:48

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Key-based auth for rsyncd possible

Goal: Use rsync to connect to my rsyncd using an sshkey rather than a password for authentication.

I think the answer is no, but thought I'd ask here.  Googling on this gave a sea of false positive hits since rsync can be used over ssh.

For reference:

$ cat /etc/rsyncd.conf 
uid = root
gid = root
use chroot = no
max connections = 4
syslog facility = local5
pid file = /run/rsyncd.pid

[large]
path = /mnt/backup
comment = big drive
read only = false
secrets file = /etc/rsyncd.scrt
auth users = rsyncbackupuser

I constructed the secrets file in the standard, plaintext "username:password" format.


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#2 2012-10-01 17:49:41

clmates
Member
From: A Coruña - España
Registered: 2009-04-25
Posts: 79

Re: Key-based auth for rsyncd possible

Hi

Yes, is possible, I'm using it to sync folders between two servers over a WAN connection (an VPN)

You only have to setup the keys to be able to do ssh from one host to the other without password

Generate the key (as root)
ssh-keygen -t dsa
copy it to remote machine
scp .ssh/id_rsa.pub root@remotemachine:/root/.ssh/localservername_id_rsa.pub

then ssh to remote machine

and add the key to authorized keys

cd .ssh
cat localservername_id_rsa.pub >> authorized_keys

repeat now the procedure for this server to generate the key and scp to the local machine, then add to the local authorized_keys

when you have this working then you use rsync


like this

rsync -cavz --stats --progress --no-whole-file --log-file=/var/log/cron_rsync_$(date +%Y%m%d).log /sourcedirectory/ root@remotehost:/remotedirectory/


well, the log file is to store the rsync results as I have this on a cron script

Hope this helps


-

Arch64 - Acer AX3950 - i5-650 3.2 GHz - 8 GB RAM - Nvidia GeForce 320 1 GB Ram
Arch32 - Samsung NC10 - 2 GB Ram

Offline

#3 2012-10-01 20:35:46

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: Key-based auth for rsyncd possible

clmates wrote:

rsync -cavz --stats --progress --no-whole-file --log-file=/var/log/cron_rsync_$(date +%Y%m%d).log /sourcedirectory/ root@remotehost:/remotedirectory/

If I'm not mistaken this is rsyncing over ssh rather than via the `rsync --daemon` which encrypts the data thus slowing down everything.


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#4 2012-10-01 23:25:16

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Key-based auth for rsyncd possible

graysky wrote:

If I'm not mistaken this is rsyncing over ssh rather than via the `rsync --daemon` which encrypts the data thus slowing down everything.

Correct. The rsync daemon does not support key-based authentication; and authenticating over an unencrypted channel is false security.

You can lower the encryption level used by SSH to something less processor intensive to improve speeds:
http://lugatgt.org/2009/10/28/ssh-tips-and-tricks-2/
http://lime-technology.com/forum/index. … ic=10503.0

Offline

#5 2012-10-02 00:09:44

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: Key-based auth for rsyncd possible

Thanks, fukawi.  I am aware of it. In fact: https://bbs.archlinux.org/viewtopic.php?id=136713


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#6 2012-10-02 23:18:54

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Key-based auth for rsyncd possible

graysky wrote:

Thanks, fukawi.  I am aware of it. In fact: https://bbs.archlinux.org/viewtopic.php?id=136713

Oh, lol, I remember reading that thread when you posted it; didn't realize yesterday it was yours tongue

Have you tried disabling compression?
http://serverfault.com/questions/116875 … on-openssh

If you can find something similar to SSH that will do the key-auth, but not compression/authentication then you could use that as the transport with -e option. A quick Google doesn't show up anything for me though.

Offline

#7 2012-10-02 23:30:43

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: Key-based auth for rsyncd possible

Yeah, I looked for that but discovered that upstream disabled the nocompression feature a while ago.  I didn't wanna mess with it.  Thanks for the suggestion, though.


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#8 2012-10-03 00:37:14

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: Key-based auth for rsyncd possible

I have not had the oppotunity to test it, but I remembered the readme of the following tool:
https://aur.archlinux.org/packages.php?ID=50456

edit:

When I suggested that, I was aware that you don't want high encryption for performance reasons. Afaik (from the documentation) the tool does not actually allow you to use less-cpu intensive ciphers, so it won't be suitable for you I guess. I initially suggested it, since the guy who wrote it runs an online backup service. So I gathered it can't be that slow smile

An alternative might be to ditch ssh for that purpose and use ftps (e.g. curlftps, stunnel) as a tunnel with your own pem.  That still keeps encryption, albeit with less protocol overhead. No idea how it would compare to your ssh-arcfour speedwise.

If that's _still_ not enough throughput, ah well .. then (keeping in mind fukawi's remark about false sense of security) you probably need something like a port-knocking for rsyncd.  Requiring a fair bit of tinkering. For that there are a number of clever tools in the AUR. In addition to those, have a look at this implementation: https://github.com/moxie0/knockknock
Hope that helps.

What I did not understand was your comment:

graysky wrote:

Yeah, I looked for that but discovered that upstream disabled the nocompression feature a while ago.

The ssh-nocompression is disabled or what did you mean?

Last edited by Strike0 (2012-10-03 13:09:07)

Offline

Board footer

Powered by FluxBB