A kerberos patch for rsync


A small patch to replace the challenge/response authentication of rsync with a GSSAPI based-one.

With it, it's now possible to integrate the rsync's authentication with a centralized one, like kerberos, and the security is much better. If kerberos is used, it's SSO features are also inherited.


To use it, add this line to a module configuration :

use gssapi = yes

And instead of using login name, use gssapi principals.


For the lazy peoples, there is a rpm spec file

Apply the patch

Download it

cd rsync-3.0.8
bunzip2 < rsync-3.0.8.diff.bz2 | patch -p1

Or for the git version, one can have a look at github

configuration and compilation

./configure --with-gssapi
make install

change the rsyncd.conf

In every module you want to protect, add the line : use gssapi = yes

and change the user to the full principal name. For example :

    use gssapi = yes
    auth users = fbacchella@ASYD.NET

Usage with MIT Kerberos

The service for krsync is rsync, so you should create a principale and then save the keytab

add_principal -randkey rsync/devel.asyd.net
ktadd -k /etc/rsync/rsync.keytab  rsync/devel.asyd.net
chmod 400 /etc/rsync/rsync.keytab
chown rsync:rsync /etc/rsync/rsync.keytab
and start rsyncd with the good keytab
KRB5_KTNAME=/etc/rsync/rsync.keytab rsyncd

To use krsync as a user, don't forget to do a kinit to get your kerberos principal if it's not already done and enjoy the full power of kerberos SSO. You can check your principal with the command klist.

rsynck.txt · Last modified: 2011/08/08 22:33 by root     Back to top