diff options
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | Makefile.in | 12 | ||||
-rw-r--r-- | configure.ac | 3 | ||||
-rw-r--r-- | packaging/lsb/rsync.spec | 2 | ||||
-rwxr-xr-x | rsh-ssl-rsync | 113 | ||||
-rwxr-xr-x | rsync-ssl.in | 16 | ||||
-rwxr-xr-x | stunnel-rsync.in | 57 | ||||
-rw-r--r-- | stunnel-rsyncd.conf.in | 4 |
8 files changed, 132 insertions, 76 deletions
@@ -25,7 +25,6 @@ aclocal.m4 /gmon.out /rsync /rsync-ssl -/stunnel-rsync /stunnel-rsyncd.conf /shconfig /testdir diff --git a/Makefile.in b/Makefile.in index 4d6eadc6..3057dc33 100644 --- a/Makefile.in +++ b/Makefile.in @@ -63,7 +63,7 @@ CHECK_OBJS=tls.o testrun.o getgroups.o getfsdev.o t_stub.o t_unsafe.o trimslash. $(CC) -I. -I$(srcdir) $(CFLAGS) $(CPPFLAGS) -c $< @CC_SHOBJ_FLAG@ @OBJ_RESTORE@ -all: Makefile rsync$(EXEEXT) rsync-ssl stunnel-rsync stunnel-rsyncd.conf @MAKE_MAN@ +all: Makefile rsync$(EXEEXT) rsync-ssl stunnel-rsyncd.conf @MAKE_MAN@ install: all -${MKDIR_P} ${DESTDIR}${bindir} @@ -73,10 +73,10 @@ install: all if test -f rsync.1; then ${INSTALLMAN} -m 644 rsync.1 ${DESTDIR}${mandir}/man1; fi if test -f rsyncd.conf.5; then ${INSTALLMAN} -m 644 rsyncd.conf.5 ${DESTDIR}${mandir}/man5; fi -install-ssl-client: rsync-ssl stunnel-rsync +install-ssl-client: rsync-ssl -${MKDIR_P} ${DESTDIR}${bindir} ${INSTALLCMD} -m 755 rsync-ssl ${DESTDIR}${bindir} - ${INSTALLCMD} -m 755 stunnel-rsync ${DESTDIR}${bindir} + ${INSTALLCMD} -m 755 rsh-ssl-rsync ${DESTDIR}${bindir} install-ssl-daemon: stunnel-rsyncd.conf -${MKDIR_P} ${DESTDIR}/etc/stunnel @@ -198,10 +198,6 @@ rsync-ssl: $(srcdir)/rsync-ssl.in Makefile sed 's;\@bindir\@;$(bindir);g' <$(srcdir)/rsync-ssl.in >rsync-ssl @chmod +x rsync-ssl -stunnel-rsync: $(srcdir)/stunnel-rsync.in Makefile - sed 's;\@stunnel4\@;$(stunnel4);g' <$(srcdir)/stunnel-rsync.in >stunnel-rsync - @chmod +x stunnel-rsync - stunnel-rsyncd.conf: $(srcdir)/stunnel-rsyncd.conf.in Makefile sed 's;\@bindir\@;$(bindir);g' <$(srcdir)/stunnel-rsyncd.conf.in >stunnel-rsyncd.conf @@ -239,7 +235,7 @@ cleantests: # the source directory. distclean: clean rm -f Makefile config.h config.status - rm -f rsync-ssl stunnel-rsync stunnel-rsyncd.conf + rm -f rsync-ssl stunnel-rsyncd.conf rm -f lib/dummy popt/dummy zlib/dummy rm -f $(srcdir)/Makefile $(srcdir)/config.h $(srcdir)/config.status rm -f $(srcdir)/lib/dummy $(srcdir)/popt/dummy $(srcdir)/zlib/dummy diff --git a/configure.ac b/configure.ac index 8e44eca4..55fccd8e 100644 --- a/configure.ac +++ b/configure.ac @@ -974,9 +974,6 @@ AC_SUBST(BUILD_POPT) AC_SUBST(BUILD_ZLIB) AC_SUBST(MAKE_MAN) -AC_PATH_PROG([STUNNEL], [stunnel], [stunnel], [$PATH$PATH_SEPARATOR/usr/sbin$PATH_SEPARATOR/sbin]) -AC_PATH_PROG([STUNNEL4], [stunnel4], [$STUNNEL], [$PATH$PATH_SEPARATOR/usr/sbin$PATH_SEPARATOR/sbin]) - AC_CHECK_FUNCS(_acl __acl _facl __facl) ################################################# # check for ACL support diff --git a/packaging/lsb/rsync.spec b/packaging/lsb/rsync.spec index 0e7794c4..f527976e 100644 --- a/packaging/lsb/rsync.spec +++ b/packaging/lsb/rsync.spec @@ -84,7 +84,7 @@ rm -rf $RPM_BUILD_ROOT %files ssl-client %{_prefix}/bin/rsync-ssl -%{_prefix}/bin/stunnel-rsync +%{_prefix}/bin/rsh-ssl-rsync %files ssl-daemon %config(noreplace) /etc/stunnel/rsyncd.conf diff --git a/rsh-ssl-rsync b/rsh-ssl-rsync new file mode 100755 index 00000000..15135ef2 --- /dev/null +++ b/rsh-ssl-rsync @@ -0,0 +1,113 @@ +#!/bin/bash +# This must be called as (note the trailing dot): +# +# rsh-ssl-rsync HOSTNAME rsync --server --daemon . +# +# ... which is typically done via the rsync-ssl script, which results in something like this: +# +# rsync --rsh=rsh-ssl-rsync -aiv HOSTNAME::module [ARGS] +# +# This SSL setup based on the files by: http://dozzie.jarowit.net/trac/wiki/RsyncSSL +# Note that an stunnel connection requires at least version 4.x of stunnel. + +# The environment can override our defaults using RSYNC_SSL_* variables + +if [[ -z "$RSYNC_SSL_TYPE" ]]; then + RSYNC_SSL_TYPE=stunnel +fi + +case "$RSYNC_SSL_TYPE" in + stunnel) + if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then + IFS_SAVE="$IFS" + IFS=: + for prog in stunnel4 stunnel; do + for dir in $PATH; do + [[ -z "$dir" ]] && dir=. + if [[ -f "$dir/$prog" && -x "$dir/$prog" ]]; then + RSYNC_SSL_STUNNEL="$dir/$prog" + break 2 + fi + done + done + IFS="$IFS_SAVE" + fi + if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then + echo "Failed to find stunnel on your path." 1>&2 + echo "Maybe export RSYNC_SSL_STUNNEL=/path or RSYNC_SSL_TYPE=openssl." 1>&2 + exit 1 + fi + optsep=' = ' + ;; + openssl) + optsep=' ' + ;; + *) + echo "The RSYNC_SSL_TYPE is not set to a known type: $RSYNC_SSL_TYPE" 1>&2 + exit 1 + ;; +esac + +if [[ -z "$RSYNC_SSL_CERT" ]]; then + certopt="" +else + certopt="cert$optsep$RSYNC_SSL_CERT" +fi + +if [[ -z ${RSYNC_SSL_CA_CERT+x} ]]; then + # RSYNC_SSL_CA_CERT unset - default CA set AND verify: + # openssl: + caopt="-verify_return_error -verify 4" + # stunnel: + cafile="" + verify=0 +elif [[ "$RSYNC_SSL_CA_CERT" == "" ]]; then + # RSYNC_SSL_CA_CERT set but empty -do NO verifications: + # openssl: + caopt="-verify 1" + # stunnel: + cafile="" + verify=0 +else + # RSYNC_SSL_CA_CERT set - use CA AND verify: + # openssl: + caopt="-CAfile $RSYNC_SSL_CA_CERT -verify_return_error -verify 4" + # stunnel: + cafile="CAfile = $RSYNC_SSL_CA_CERT" + verify=3 +fi + +port="${RSYNC_PORT:-0}" +if [[ "$port" == 0 ]]; then + port="${RSYNC_SSL_PORT:-874}" +fi + +# If the user specified USER@HOSTNAME::module, then rsync passes us +# the -l USER option too, so we must be prepared to ignore it. +if [[ "$1" == "-l" ]]; then + shift 2 +fi + +hostname="$1" +shift + +if [[ -z "$hostname" || "$1" != rsync || "$2" != --server || "$3" != --daemon ]]; then + echo "Usage: rsync-ssl-helper HOSTNAME rsync --server --daemon ." 1>&2 + exit 1 +fi + +if [[ $RSYNC_SSL_TYPE == openssl ]]; then + exec openssl s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port +else + # devzero@web.de came up with this no-tmpfile calling syntax: + exec stunnel -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&- +foreground = yes +debug = crit +connect = $hostname:$port +client = yes +TIMEOUTclose = 0 +verify = $verify +$certopt +$cafile +EOF +fi diff --git a/rsync-ssl.in b/rsync-ssl.in index da58d6af..62ab1a57 100755 --- a/rsync-ssl.in +++ b/rsync-ssl.in @@ -1,12 +1,20 @@ #!/bin/bash -# This script supports using stunnel to secure an rsync daemon connection. -# Note that this requires at least version 4.x of stunnel. +# This script supports using stunnel or openssl to secure an rsync daemon connection. +# The first option can be --type=stunnel or --type=openssl to choose your connection +# type (overriding any $RSYNC_SSL_TYPE default value). + +if [[ "$1" == --type=* ]]; then + export RSYNC_SSL_TYPE="${1/--type=/}" + shift +fi + case "$@" in *rsync://*) ;; *::*) ;; *) - echo "You must use rsync-ssl with a daemon-style hostname." 0>&1 + echo "You must use rsync-ssl with a daemon-style hostname." 1>&2 exit 1 ;; esac -exec @bindir@/rsync --rsh=@bindir@/stunnel-rsync "${@}" + +exec @bindir@/rsync --rsh=@bindir@/rsh-ssl-rsync "${@}" diff --git a/stunnel-rsync.in b/stunnel-rsync.in deleted file mode 100755 index ca702ae9..00000000 --- a/stunnel-rsync.in +++ /dev/null @@ -1,57 +0,0 @@ -#!/bin/bash -# This must be called as (note the trailing dot): -# -# stunnel-rsync HOSTNAME rsync --server --daemon . -# -# ... which is typically done via the rsync-ssl script, which results in something like this: -# -# rsync --rsh=stunnel-rsync -aiv HOSTNAME::module [ARGS] -# -# This SSL setup based on the files by: http://dozzie.jarowit.net/trac/wiki/RsyncSSL -# Note that this requires at least version 4.x of stunnel. - -# The current environment can override using the RSYNC_SSL_* values: -if [ x"$RSYNC_SSL_CERT" = x ]; then - cert="" -else - cert="cert = $RSYNC_SSL_CERT" -fi - -if [ x"$RSYNC_SSL_CA_CERT" = x ]; then - cafile="" - verify=0 -else - cafile="CAfile = $RSYNC_SSL_CA_CERT" - verify=3 -fi - -port="${RSYNC_PORT:-0}" -if [ "$port" = 0 ]; then - port="${RSYNC_SSL_PORT:-874}" -fi - -# If the user specified USER@HOSTNAME::module, then rsync passes us -# the -l USER option too, so we must be prepared to ignore it. -if [ x"$1" = x"-l" ]; then - shift 2 -fi - -hostname=$1 -shift - -if [ x"$hostname" = x -o x"$1" != x"rsync" -o x"$2" != x"--server" -o x"$3" != x"--daemon" ]; then - echo "Usage: stunnel-rsync HOSTNAME rsync --server --daemon ." 1>&2 - exit 1 -fi - -# devzero@web.de came up with this no-tmpfile calling syntax: -@stunnel4@ -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&- -foreground = yes -debug = crit -connect = $hostname:$port -client = yes -TIMEOUTclose = 0 -verify = $verify -$cert -$cafile -EOF diff --git a/stunnel-rsyncd.conf.in b/stunnel-rsyncd.conf.in index fd28d5d4..b3fd240e 100644 --- a/stunnel-rsyncd.conf.in +++ b/stunnel-rsyncd.conf.in @@ -4,7 +4,7 @@ foreground = no pid = /var/run/stunnel-rsyncd.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 -compression = rle +#compression = rle # This must be root for rsync to use chroot -- rsync will drop permissions: setuid = root setgid = root @@ -18,7 +18,7 @@ client = no # To allow anyone to try an ssl connection, use this: verify = 0 -CAfile = /etc/ssl/ca-bundle.pem +CAfile = /etc/ssl/certs/ca-certificates.crt # To allow only cert-authorized clients, use something like this instead of the above: #verify = 3 |