Re: Secure rsync setup
On 12/17/06, Thorsten Schmidt <firstname.lastname@example.org> wrote:
However, this requires alpha having a ssh-key. Furthermore I'm not in charge
with alpha's security, thus I've to make sure, that a attacker, who gained
access to alpha's ssh-key is not able to compromis beta (well, he might be
able to delete / modify the backup'ed data, but this might be circumvented by
regularly tar the backed up data).
Thus my question is: How should I configure / secure beta to prevent this?
Something that we've done in the past is to run some sort of vpn
solution (openswan or openvpn), and then to use straight rsync (rather
than rsync over ssh). That pretty much removes the dangers of giving
ssh access (which could potentially hand someone a shell). Using ssl
keys with your vpn solution means that you get the same private/public
key advantages as with ssh. Of course he'd still be able to abuse a
hole in rsync, but I think the risk is at least lower.