Can't use RSYNC daemon via SSH connection

Question

I have a problem while trying to use RSYNC with daemon and SSH connection.

What I wan't to do is simply login to rsync without pass and be able to use the rsync daemon.

Here is my conf file (/etc/rsyncd.conf):

uid = rsync
gid = rsync

[yxz]
    path = /home/pierre/xyz
    read only = false
    auth users = rsync
    hosts allow = <myIP>

/home/pierre/xyz has gid wich rsync user can reach.

This is working (but is not using the daemon):

rsync -rzP --stats --ignore-existing --remove-sent-files rsync@mydomain.fr:/home/pierre/xyz/ /media/xyz --include="*.cfg" --exclude="*"

This is not working (using the daemon), but rsync asks me for pass and then says "@ERROR: auth failed on module xyz" because I don't have configure authentification this way :

rsync -rzP --stats --ignore-existing --remove-sent-files rsync://rsync@mydomain.fr/xyz/ /media/xyz --include="*.cfg" --exclude="*"

This is not working (using the daemon):

rsync -rzP -e "ssh -l rsync" --stats --ignore-existing --remove-sent-files rsync://rsync@mydomain.fr/xyz/ /media/xyz --include="*.cfg" --exclude="*"

Here is the error message:

rsync: connection unexpectedly closed (0 bytes received so far) [Receiver] rsync error: error in rsync protocol data stream (code 12) at io.c(605) [Receiver=3.0.9]

With -v option to the ssh command, it says connection is allowed, so I suppose rsync is the problem, not ssh.

Any idee ?

Thanks for your help :)

Answer 1

1. Make sure that you stop and disable the rsync system service. E.g. if you are using systemd: systemctl disable --now rsync.

2. Remove -l rsync from the rsync command

   rsync -rzP -e "ssh" --stats --ignore-existing --remove-sent-files rsync://mydomain.fr/xyz/ /media/xyz --include="*.cfg" --exclude="*"

3. Remove auth users = rsync from rsyncd.conf

4. I found that if I was not using root, I had to also add use chroot = no in rsyncd.conf.

Great it works, but what sort of authentification is made ?

The connection is authenticated as usual for the ssh command (specifically, the same as ssh mydomain.fr).

This does not involve the system service rsync. Instead it uses SSH to start and communicate with an instance of rsync --server --daemon .. You can see this command being started if you replace -e "ssh" with -e "ssh -v".

The problem with using the system service rsync is that it does not encrypt the network connection, so the network is able to intercept and modify the data in transit. This somewhat defeats the point of using any authentication.

---

Often this approach is used with a dedicated SSH key, using the command="" option in authorized_keys to restrict it to rsync only. A side-benefit of doing so is that it overrides the command rsync tries to use, so you can force it to use --config=~/rsyncd.conf instead of creating a global /etc/rsyncd.conf. IMO this is useful to avoid confusion IMO. It is good practice because if you create the global config file, there is some risk that you will accidentally run the insecure system service. For example Debian 9 enables the rsync system service by default, and will start it automatically at boot if you have created /etc/rsyncd.conf.

• https://gist.github.com/trendels/6582e95012f6c7fc6542

• https://indico.cern.ch/event/577279/contributions/2354037/attachments/1366772/2071442/Hepsysman-keeping-in-sync.pdf

• https://serverfault.com/questions/6367/cant-get-rsync-to-work-in-daemon-over-ssh-mode

• Unusual variant using a dedicated user with a custom shell, instead of command="" / ForceCommand, for some reason: http://mennucc1.debian.net/howto-ssh-rsyncd.html

Answer 2

To use rsync daemon without a password, you should remove auth users line from your config file.

uid = rsync
gid = rsync

[yxz]
    path = /home/pierre/xyz
    read only = false
    hosts allow = <myIP>

After starting the daemon, you can refer the module either using :: syntax or using rsync:// prefix as follows

rsync -rzv rsync@mydomain.fr::xyz/ /media/xyz 

rsync -rzv rsync://rsync@mydomain.fr/xyz/ /media/xyz 

More info: man rsyncd.conf