Open Source Kerberos Tooling


You can use KNC to protect your rsync traffic. The way to do this is to use rsync’s daemon mode. First, you will need to create an rsyncd.conf. Here is an example of one:

        path = /path/to/your/files
        use chroot = no
        reverse lookup = no
        read only = no

Next, you must run the rsync daemon. To start it on port 2666 via KNC, you can do the following:

$ knc -l 2666 /usr/bin/rsync --config ./rsyncd.conf --daemon

This will allow any authenticated user to use it which may be not exactly what you want. To limit access to a single user, you can simply do something like:

$ knc -l 2666 /bin/sh -c \
> '[ X"$KNC_CREDS" = Xuser@EXAMPLE.COM ] && /usr/bin/rsync --config ./rsyncd.conf --daemon'

For more complicated authorisation checks, it is better to write a small program which checks the KNC_CREDS environment variable and makes decisions based on it. For even more complicated checks, you could have said program actually create a custom rsyncd.conf for each authenticated user which defines its own modules and rules from a template.

On the client side, you need to tell rsync to use KNC to start the connexion. To do this, use the RSYNC_CONNECT_PROG environment variable:

$ export RSYNC_CONNECT_PROG='knc service@%H 2666'

And then you can rsync:

$ rsync -av ./ host::modulename