1

I am wanting to run rsync over an SSL/TLS encrypted connection. It does not do this directly so I am exploring options. The stunnel program looks promising, although more complicated than designed due to the need to hop connections with the -r option. However, I do find there is a -l option to run a program. I am assuming this works by having two processes, one to carry out the SSL/TLS work, and one to be the worker which the client is communicating to. These would then communicate by a pipe pair or two way socket between them.

What struck me as odd when I surveyed a number of web pages to see how to properly set this up is that whether running as a standalone daemon, or under a super daemon like inetd, the arguments for rsync are the same. How does rsync --daemon know whether it should open a socket and listen on it for many connections, or just service one connection by communicating with the stdin/stdout descriptors is has when it starts up (which really would go through the extra process to handle the encryption, description, and SSL/TLS protocol layer)?

And then I need to find a way to wrap the client to have it do SSL/TLS in one simple command (as opposed to connection hopping that stunnel seems to favor).

Skaperen
  • 1,094
  • 2
  • 11
  • 23

2 Answers2

2

And then I need to find a way to wrap the client to have it do SSL/TLS in one simple command (as opposed to connection hopping that stunnel seems to favor).

rsync has an --rsh option to spawn stunnel and use stdin/stdout on the client side and stunnel has an exec option to spawn rsync on the server side - combining these two will get you what you want. See dozzie's rsync over SSL for some further information and readily available scripts to run this config (needs git to download).

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
  • If rsync is not getting the network socket, how does it know NOT to do its own network listen accept loop? Or does it do this because stdin is a pipe? – Skaperen Oct 15 '12 at 14:40
  • @Skaperen Honestly, I don't know and never bothered to look it up in the source. I suppose you are right and the detection is based on something like [isatty](http://linux.die.net/man/3/isatty). – the-wabbit Oct 15 '12 at 20:27
  • I cannot find the author's email address. Some things are left out and/or not explained. How do run stunnel in inetd-mode as a client (e.g. as an ssh substitute) is missing how to make it connect (not seen in stunnel man pages). – Skaperen Oct 15 '12 at 20:34
  • I think I need to ask this question in an entirely different way. – Skaperen Oct 15 '12 at 20:35
  • @Skaperen take a look at the rsync-ssl-package's scripts (as I wrote you would need `git` to download the code set), a whole lot should become clear then. – the-wabbit Oct 15 '12 at 20:42
  • Sorry, a whole lot was not clear (I downloaded it). Two scripts and they look like one calls the other. It's not even clear what is for client and what is for server. I can understand that one script would invoke something with the other script being referenced to run something in a certain way. I'd expect 4 scripts, a pair to launch the server, and a pair to run the client (to access the server). Or am I expecting too much? – Skaperen Oct 16 '12 at 00:14
  • Technically, the answer by Wil Tan was the answer to the question I asked, so I'm checking that as the answer. However, this answer has good information (I'm just not sure, yet, how to use it). – Skaperen Oct 17 '12 at 01:53
  • @Skaperen the two shell scripts you mention are used as the client call - the main purpose of `rsync-ssl-stunnel.sh` is to parametrize certificate-based auth for the SSL connection. The config files `stunnel.conf` and `rsyncd.conf` are intended to reside on the server side (after modifications to match your environment). Running `stunnel` as a daemon to listen for connections at the server side and `rsync-ssl.sh` to invoke a transfer from the client side should provide you with the config you've asked for. – the-wabbit Oct 17 '12 at 19:24
  • So what keeps the rsync --daemon from listening on port 873 for unencrypted connections? – Skaperen Oct 21 '12 at 02:37
  • OK, I think I have figured it out, now. But the rsync-ssl-stunnel.sh script is making incomplete or incorrect assumptions about the arguments it gets from the rsync --rsh or -e option that references it. I'll try some rewriting to see what I come up with. – Skaperen Oct 25 '12 at 03:03
1

From the section on --daemon in the rsync(1) man page:

If standard input is a socket then rsync will assume that it is being run via inetd, otherwise it will detach from the current terminal and become a background daemon.

You can see the command line arguments that apply to daemon mode by running:

rsync --daemon --help
Wil Tan
  • 396
  • 2
  • 3