diff options
Diffstat (limited to 'rsync-ssl')
| -rwxr-xr-x | rsync-ssl | 198 |
1 files changed, 198 insertions, 0 deletions
diff --git a/rsync-ssl b/rsync-ssl new file mode 100755 index 0000000..56ee7df --- /dev/null +++ b/rsync-ssl @@ -0,0 +1,198 @@ +#!/usr/bin/env bash + +# This script uses openssl, gnutls, or stunnel to secure an rsync daemon connection. + +# By default this script takes rsync args and hands them off to the actual +# rsync command with an --rsh option that makes it open an SSL connection to an +# rsync daemon. See the rsync-ssl manpage for usage details and env variables. + +# When the first arg is --HELPER, we are being used by rsync as an --rsh helper +# script, and the args are (note the trailing dot): +# +# rsync-ssl --HELPER HOSTNAME rsync --server --daemon . +# +# --HELPER is not a user-facing option, so it is not documented in the manpage. + +# The first SSL setup was based on: http://dozzie.jarowit.net/trac/wiki/RsyncSSL +# Note that an stunnel connection requires at least version 4.x of stunnel. + +function rsync_ssl_run { + case "$*" in + *rsync://*) ;; + *::*) ;; + *) + echo "You must use rsync-ssl with a daemon-style hostname." 1>&2 + exit 1 + ;; + esac + + exec rsync --rsh="$0 --HELPER" "${@}" +} + +function rsync_ssl_helper { + if [[ -z "$RSYNC_SSL_TYPE" ]]; then + found=`path_search openssl stunnel4 stunnel` || exit 1 + if [[ "$found" == */openssl ]]; then + RSYNC_SSL_TYPE=openssl + RSYNC_SSL_OPENSSL="$found" + elif [[ "$found" == */gnutls-cli ]]; then + RSYNC_SSL_TYPE=gnutls + RSYNC_SSL_GNUTLS="$found" + else + RSYNC_SSL_TYPE=stunnel + RSYNC_SSL_STUNNEL="$found" + fi + fi + + case "$RSYNC_SSL_TYPE" in + openssl) + if [[ -z "$RSYNC_SSL_OPENSSL" ]]; then + RSYNC_SSL_OPENSSL=`path_search openssl` || exit 1 + fi + optsep=' ' + ;; + gnutls) + if [[ -z "$RSYNC_SSL_GNUTLS" ]]; then + RSYNC_SSL_GNUTLS=`path_search gnutls-cli` || exit 1 + fi + optsep=' ' + ;; + stunnel) + if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then + RSYNC_SSL_STUNNEL=`path_search stunnel4 stunnel` || exit 1 + fi + optsep=' = ' + ;; + *) + echo "The RSYNC_SSL_TYPE specifies an unknown type: $RSYNC_SSL_TYPE" 1>&2 + exit 1 + ;; + esac + + if [[ -z "$RSYNC_SSL_CERT" ]]; then + certopt="" + gnutls_cert_opt="" + else + certopt="-cert$optsep$RSYNC_SSL_CERT" + gnutls_cert_opt="--x509certfile=$RSYNC_SSL_CERT" + fi + + if [[ -z "$RSYNC_SSL_KEY" ]]; then + keyopt="" + gnutls_key_opt="" + else + keyopt="-key$optsep$RSYNC_SSL_KEY" + gnutls_key_opt="--x509keyfile=$RSYNC_SSL_KEY" + fi + + if [[ -z ${RSYNC_SSL_CA_CERT+x} ]]; then + # RSYNC_SSL_CA_CERT unset - default CA set AND verify: + # openssl: + caopt="-verify_return_error -verify 4" + # gnutls: + gnutls_opts="" + # stunnel: + # Since there is no way of using the default CA certificate collection, + # we cannot do any verification. Thus, stunnel should really only be + # used if nothing else is available. + cafile="" + verify="" + elif [[ "$RSYNC_SSL_CA_CERT" == "" ]]; then + # RSYNC_SSL_CA_CERT set but empty -do NO verifications: + # openssl: + caopt="-verify 1" + # gnutls: + gnutls_opts="--insecure" + # stunnel: + cafile="" + verify="verifyChain = no" + else + # RSYNC_SSL_CA_CERT set - use CA AND verify: + # openssl: + caopt="-CAfile $RSYNC_SSL_CA_CERT -verify_return_error -verify 4" + # gnutls: + gnutls_opts="--x509cafile=$RSYNC_SSL_CA_CERT" + # stunnel: + cafile="CAfile = $RSYNC_SSL_CA_CERT" + verify="verifyChain = yes" + fi + + port="${RSYNC_PORT:-0}" + if [[ "$port" == 0 ]]; then + port="${RSYNC_SSL_PORT:-874}" + fi + + # If the user specified USER@HOSTNAME::module, then rsync passes us + # the -l USER option too, so we must be prepared to ignore it. + if [[ "$1" == "-l" ]]; then + shift 2 + fi + + hostname="$1" + shift + + if [[ -z "$hostname" || "$1" != rsync || "$2" != --server || "$3" != --daemon ]]; then + echo "Usage: rsync-ssl --HELPER HOSTNAME rsync --server --daemon ." 1>&2 + exit 1 + fi + + if [[ $RSYNC_SSL_TYPE == openssl ]]; then + exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt $keyopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port + elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then + exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_key_opt $gnutls_opts $hostname:$port + else + # devzero@web.de came up with this no-tmpfile calling syntax: + exec $RSYNC_SSL_STUNNEL -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&- +foreground = yes +debug = crit +connect = $hostname:$port +client = yes +TIMEOUTclose = 0 +$verify +$certopt +$cafile +EOF + fi +} + +function path_search { + IFS_SAVE="$IFS" + IFS=: + for prog in "${@}"; do + for dir in $PATH; do + [[ -z "$dir" ]] && dir=. + if [[ -f "$dir/$prog" && -x "$dir/$prog" ]]; then + echo "$dir/$prog" + IFS="$IFS_SAVE" + return 0 + fi + done + done + + IFS="$IFS_SAVE" + echo "Failed to find on your path: $*" 1>&2 + echo "See the rsync-ssl manpage for configuration assistance." 1>&2 + return 1 +} + +if [[ "$#" == 0 ]]; then + echo "Usage: rsync-ssl [--type=SSL_TYPE] RSYNC_ARG [...]" 1>&2 + echo "The SSL_TYPE can be openssl or stunnel" + exit 1 +fi + +if [[ "$1" = --help || "$1" = -h ]]; then + exec rsync --help +fi + +if [[ "$1" == --HELPER ]]; then + shift + rsync_ssl_helper "${@}" +fi + +if [[ "$1" == --type=* ]]; then + export RSYNC_SSL_TYPE="${1/--type=/}" + shift +fi + +rsync_ssl_run "${@}" |