* Anonymous rsync over ssh?
@ 2002-12-10 9:19 Zack Weinberg
2002-12-10 10:05 ` Per Bothner
2002-12-10 10:14 ` Jason Molenda
0 siblings, 2 replies; 5+ messages in thread
From: Zack Weinberg @ 2002-12-10 9:19 UTC (permalink / raw)
To: overseers
I'm presently in a situation where I need to maintain a local clone of
a couple of our CVS repositories. rsync is the logical way to do
that. Unfortunately, the machine hosting the clone is on the inside
of a firewall, and the sysadmin doesn't want to open port 873 for
outbound connections.
It occurs to me that we could establish an 'anonymous-rsync' user with
a published SSH private key, restricted to running rsyncd. This would
provide an alternative for people stuck behind firewalls; it's much
more common to let outbound SSH through.
Thoughts?
zw
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Anonymous rsync over ssh?
2002-12-10 9:19 Anonymous rsync over ssh? Zack Weinberg
@ 2002-12-10 10:05 ` Per Bothner
2002-12-10 11:16 ` Joseph S. Myers
2002-12-10 10:14 ` Jason Molenda
1 sibling, 1 reply; 5+ messages in thread
From: Per Bothner @ 2002-12-10 10:05 UTC (permalink / raw)
To: Zack Weinberg; +Cc: overseers
Zack Weinberg wrote:
> I'm presently in a situation where I need to maintain a local clone of
> a couple of our CVS repositories. rsync is the logical way to do
> that. Unfortunately, the machine hosting the clone is on the inside
> of a firewall, and the sysadmin doesn't want to open port 873 for
> outbound connections.
I have a couple of Kawa users requesting snapshots of the CVS
version of Kawa, because they are stuck behind firewalls with
unhelpful sys-admins.
They don't need the entire repository - just be able to check
out the trunk. Is there some script they can use to download
files from cvsweb?
Another advantage of subversion, I understand, is that it uses
more standard ports.
--
--Per Bothner
per@bothner.com http://www.bothner.com/per/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Anonymous rsync over ssh?
2002-12-10 9:19 Anonymous rsync over ssh? Zack Weinberg
2002-12-10 10:05 ` Per Bothner
@ 2002-12-10 10:14 ` Jason Molenda
1 sibling, 0 replies; 5+ messages in thread
From: Jason Molenda @ 2002-12-10 10:14 UTC (permalink / raw)
To: Zack Weinberg; +Cc: overseers
On Tue, Dec 10, 2002 at 09:19:04AM -0800, Zack Weinberg wrote:
> It occurs to me that we could establish an 'anonymous-rsync' user with
> a published SSH private key, restricted to running rsyncd. This would
> provide an alternative for people stuck behind firewalls; it's much
> more common to let outbound SSH through.
>
> Thoughts?
An ssh public key in authorized_keys can be restricted to only running
a single command, which is how most write-enabled accounts are set up -
they're hardcoded to run "cvs server".
It's been a long time since I've looked at rsync. Is there a single
hardcoded command that could be placed in an auth_keys file s.t. the
users using anonymous-rsync could only access the files we've defined?
I'm hard pressed to think of much world-readable which we'd want to
restrict access to on the system, but I'm happier if people can only
access the "gcc-cvs", "gcc-ftp", "gcc-gnats", etc., targets like I
set up in the running rsyncd.
Jason
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Anonymous rsync over ssh?
2002-12-10 10:05 ` Per Bothner
@ 2002-12-10 11:16 ` Joseph S. Myers
2002-12-10 22:58 ` Jason Molenda
0 siblings, 1 reply; 5+ messages in thread
From: Joseph S. Myers @ 2002-12-10 11:16 UTC (permalink / raw)
To: overseers
On Tue, 10 Dec 2002, Per Bothner wrote:
> Another advantage of subversion, I understand, is that it uses
> more standard ports.
As I noted on the gcc list, this breaks for users stuck behind
"transparent" port 80 proxies that don't understand WebDAV/DeltaV, who may
have no difficulty with almost every other outbound port freely available
but have a few (e.g. 80, 25, ports used by peer-to-peer systems) proxied
or blocked. (People behind restrictive firewalls may well also have
proxies for port 80 that only do plain HTTP. And it's been said in
previous discussions on the gcc list
<http://gcc.gnu.org/ml/gcc/2001-11/msg01047.html> that HTTPS is also
restricted by such firewalls.)
--
Joseph S. Myers
jsm28@cam.ac.uk
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Anonymous rsync over ssh?
2002-12-10 11:16 ` Joseph S. Myers
@ 2002-12-10 22:58 ` Jason Molenda
0 siblings, 0 replies; 5+ messages in thread
From: Jason Molenda @ 2002-12-10 22:58 UTC (permalink / raw)
To: Joseph S. Myers; +Cc: overseers
On Tue, Dec 10, 2002 at 07:16:20PM +0000, Joseph S. Myers wrote:
> > Another advantage of subversion, I understand, is that it uses
> > more standard ports.
>
> As I noted on the gcc list, this breaks for users stuck behind
> "transparent" port 80 proxies that don't understand WebDAV/DeltaV, who may
> have no difficulty with almost every other outbound port freely available
> but have a few (e.g. 80, 25, ports used by peer-to-peer systems) proxied
> or blocked.
I haven't followed the subversion dev list much, but I believe
they've added a third access method--in addition to the normal
WebDAV method they have a local filesystem method (ra_local),
there's a "ra_svn" that talks an svn protocol over TCP, and can be
tunneled over something like an ssh connection.
I hope to find more time to look at svn as it gets more mature.
I'm sure there will be a lot of people interested in trying it out
on sources.redhat.com as soon as it starts to look stable.
J
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2002-12-11 6:58 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-12-10 9:19 Anonymous rsync over ssh? Zack Weinberg
2002-12-10 10:05 ` Per Bothner
2002-12-10 11:16 ` Joseph S. Myers
2002-12-10 22:58 ` Jason Molenda
2002-12-10 10:14 ` Jason Molenda
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).