rsync-ssl-rsh

   1 #!/bin/bash
   2 # This must be called as (note the trailing dot):
   3 #
   4 #    rsync-ssl-rsh HOSTNAME rsync --server --daemon .
   5 #
   6 # ... which is typically done via the rsync-ssl script, which results in something like this:
   7 #
   8 #    rsync --rsh=rsync-ssl-rsh -aiv HOSTNAME::module [ARGS]
   9 #
  10 # This SSL setup based on the files by:  http://dozzie.jarowit.net/trac/wiki/RsyncSSL
  11 # Note that an stunnel connection requires at least version 4.x of stunnel.
  12
  13 # The environment can override our defaults using RSYNC_SSL_* variables
  14
  15 function path_search {
  16     IFS_SAVE="$IFS"
  17     IFS=:
  18     for prog in "${@}"; do
  19         for dir in $PATH; do
  20             [[ -z "$dir" ]] && dir=.
  21             if [[ -f "$dir/$prog" && -x "$dir/$prog" ]]; then
  22                 echo "$dir/$prog"
  23                 IFS="$IFS_SAVE"
  24                 return 0
  25             fi
  26         done
  27     done
  28
  29     IFS="$IFS_SAVE"
  30     echo "Failed to find on your path: $*" 1>&2
  31     echo "See the rsync-ssl manpage for configuration assistance." 1>&2
  32     return 1
  33 }
  34
  35 if [[ -z "$RSYNC_SSL_TYPE" ]]; then
  36     found=`path_search stunnel4 stunnel openssl` || exit 1
  37     if [[ "$found" == */openssl ]]; then
  38         RSYNC_SSL_TYPE=openssl
  39         RSYNC_SSL_OPENSSL="$found"
  40     else
  41         RSYNC_SSL_TYPE=stunnel
  42         RSYNC_SSL_STUNNEL="$found"
  43     fi
  44 fi
  45
  46 case "$RSYNC_SSL_TYPE" in
  47     openssl)
  48         if [[ -z "$RSYNC_SSL_OPENSSL" ]]; then
  49             RSYNC_SSL_OPENSSL=`path_search openssl` || exit 1
  50         fi
  51         optsep=' '
  52         ;;
  53     stunnel)
  54         if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then
  55             RSYNC_SSL_STUNNEL=`path_search stunnel4 stunnel` || exit 1
  56         fi
  57         optsep=' = '
  58         ;;
  59     *)
  60         echo "The RSYNC_SSL_TYPE specifies an unknown type: $RSYNC_SSL_TYPE" 1>&2
  61         exit 1
  62         ;;
  63 esac
  64
  65 if [[ -z "$RSYNC_SSL_CERT" ]]; then
  66     certopt=""
  67 else
  68     certopt="cert$optsep$RSYNC_SSL_CERT"
  69 fi
  70
  71 if [[ -z ${RSYNC_SSL_CA_CERT+x} ]]; then
  72     # RSYNC_SSL_CA_CERT unset - default CA set AND verify:
  73     # openssl:
  74     caopt="-verify_return_error -verify 4"
  75     # stunnel:
  76     cafile=""
  77     verify=0
  78 elif [[ "$RSYNC_SSL_CA_CERT" == "" ]]; then
  79     # RSYNC_SSL_CA_CERT set but empty -do NO verifications:
  80     # openssl:
  81     caopt="-verify 1"
  82     # stunnel:
  83     cafile=""
  84     verify=0
  85 else
  86     # RSYNC_SSL_CA_CERT set - use CA AND verify:
  87     # openssl:
  88     caopt="-CAfile $RSYNC_SSL_CA_CERT -verify_return_error -verify 4"
  89     # stunnel:
  90     cafile="CAfile = $RSYNC_SSL_CA_CERT"
  91     verify=3
  92 fi
  93
  94 port="${RSYNC_PORT:-0}"
  95 if [[ "$port" == 0 ]]; then
  96     port="${RSYNC_SSL_PORT:-874}"
  97 fi
  98
  99 # If the user specified USER@HOSTNAME::module, then rsync passes us
 100 # the -l USER option too, so we must be prepared to ignore it.
 101 if [[ "$1" == "-l" ]]; then
 102     shift 2
 103 fi
 104
 105 hostname="$1"
 106 shift
 107
 108 if [[ -z "$hostname" || "$1" != rsync || "$2" != --server || "$3" != --daemon ]]; then
 109     echo "Usage: rsync-ssl-helper HOSTNAME rsync --server --daemon ." 1>&2
 110     exit 1
 111 fi
 112
 113 if [[ $RSYNC_SSL_TYPE == openssl ]]; then
 114     exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
 115 else
 116     # devzero@web.de came up with this no-tmpfile calling syntax:
 117     exec $RSYNC_SSL_STUNNEL -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&-
 118 foreground = yes
 119 debug = crit
 120 connect = $hostname:$port
 121 client = yes
 122 TIMEOUTclose = 0
 123 verify = $verify
 124 $certopt
 125 $cafile
 126 EOF
 127 fi