diff options
author | Wayne Davison <wayned@samba.org> | 2013-06-15 14:40:52 -0700 |
---|---|---|
committer | Wayne Davison <wayned@samba.org> | 2013-06-15 16:40:10 -0700 |
commit | 70d4a945f7d1ab1aca2c3ca8535240fad4bdf06b (patch) | |
tree | ae7f7090c6f8726ebd5eb4e03d4c71c72a810c8b /stunnel-rsync.in | |
parent | 0488a14b9930bf91719ac0f1d1c0c8770ca10646 (diff) | |
download | android_external_rsync-70d4a945f7d1ab1aca2c3ca8535240fad4bdf06b.tar.gz android_external_rsync-70d4a945f7d1ab1aca2c3ca8535240fad4bdf06b.tar.bz2 android_external_rsync-70d4a945f7d1ab1aca2c3ca8535240fad4bdf06b.zip |
Support rsync daemon over SSL via stunnel.
Added the client rsync-ssl script and various client/daemon support
files needed for talking to an rsync daemon over SSL on port 874 (no
tls support). This uses an elegant stunnel setup that was detailed
by dozzie (see the resources page) now that stunnel4 has improved
command-spawning support. Also incorporates some tweaks by devzero
(e.g. the nice no-tmpfile-config client-side code) and a few by me
(including logging of the actual remote IP that came in to the
stunnel process). This probably still needs a little work.
Diffstat (limited to 'stunnel-rsync.in')
-rwxr-xr-x | stunnel-rsync.in | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/stunnel-rsync.in b/stunnel-rsync.in new file mode 100755 index 00000000..f206b93a --- /dev/null +++ b/stunnel-rsync.in @@ -0,0 +1,52 @@ +#!/bin/bash +# This must be called as: +# +# stunnel-rsync HOSTNAME rsync --server --daemon . +# +# ... which is typically done via the rsync-ssl script, which results in something like this: +# +# rsync --rsh=stunnel-rsync -aiv HOSTNAME::module ... +# +# This SSL setup based on the files by: http://dozzie.jarowit.net/trac/wiki/RsyncSSL +# Note that this requires at least version 4.x of stunnel. + +# The current environment can override using the RSYNC_SSL_* values: +if [ x"$RSYNC_SSL_CERT" = x ]; then + cert="" +else + cert="cert = $RSYNC_SSL_CERT" +fi +if [ x"$RSYNC_SSL_CA_CERT" ]; then + cafile="" + verify=0 +else + cafile="CAfile = $RSYNC_SSL_CA_CERT" + verify=3 +fi +port=${RSYNC_SSL_PORT:-874} + +# If the user specified USER@HOSTNAME::module, then rsync passes us +# the -l USER option too, so we must be prepared to ignore it. +if [ x"$1" = x"-l" ]; then + shift 2 +fi + +hostname=$1 +shift + +if [ x"$hostname" = x -o x"$1" != x"rsync" -o x"$2" != x"--server" -o x"$3" != x"--daemon" ]; then + echo "Usage: stunnel-rsync HOSTNAME rsync --server --daemon ." 1>&2 + exit 1 +fi + +# devzero@web.de came up with this no-tmpfile calling syntax: +@stunnel4@ -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&- +foreground = yes +debug = crit +connect = $hostname:$port +client = yes +TIMEOUTclose = 0 +verify = $verify +$cert +$cafile +EOF |