[LONG] stunnel+rsync according to Building Secure Linux Servers
Josh Trutwin
I'm having some timeout problems trying to set up an rsync server using
stunnel accodring to Matt Bauer's Building Secure Linux Servers book.
Server: Debian 3.0 2.4.20
# uname -a
Linux krycek 2.4.20 #1 Sun Apr 27 15:43:43 MST 2003 i586 unknown
Client: SuSE 8.1
# uname -a
Linux scully 2.4.19-4GB #1 Fri Sep 13 13:14:56 UTC 2002 i686 unknown
Both client and server are on 192.168.0.0/24
Matt's process is slightly different than the examples found on the
stunnel website, here is the important information:
krycek (server):~# tail -2 /etc/services
# Local services
ssyncd 273/tcp # secure rsync over stunnel
scully (client):~# tail -2 /etc/services
# Local services
ssyncd 273/tcp # secure rsync over stunnel
krycek (server):~# tail -1 /etc/hosts.allow
ssync : ALL
scully(client):~# tail -1 /etc/hosts.allow
ssync : ALL
(These are the only entries in /etc/hosts.allow)
Server invocation of stunnel:
(rsync is running with rsync --daemon)
krycek (server):~# stunnel -D 7 -f -d ssyncd -r localhost:rsync -p
/etc/ssl/certs/stunnel.pem -N ssync
2003.05.15 18:37:40 LOG5[5047:1024]: Using 'ssync' as tcpwrapper service
name 2003.05.15 18:37:40 LOG7[5047:1024]: Snagged 64 random bytes from
/root/.rnd 2003.05.15 18:37:40 LOG7[5047:1024]: Wrote 1024 new random
bytes to /root/.rnd 2003.05.15 18:37:40 LOG7[5047:1024]: RAND_status
claims sufficient entropy for the PRNG 2003.05.15 18:37:40
LOG6[5047:1024]: PRNG seeded successfully
2003.05.15 18:37:40 LOG7[5047:1024]: Certificate:
/etc/ssl/certs/stunnel.pem 2003.05.15 18:37:40 LOG5[5047:1024]: stunnel
3.22 on i586-pc-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.6c 21 dec
2001
2003.05.15 18:37:40 LOG7[5047:1024]: Created pid file
/var/run/stunnel.ssync.pid 2003.05.15 18:37:40 LOG5[5047:1024]:
FD_SETSIZE=1024, file ulimit=1024 -> 500 clients allowed 2003.05.15
18:37:40 LOG7[5047:1024]: SO_REUSEADDR option set on accept socket
2003.05.15 18:37:40 LOG7[5047:1024]: ssync bound to 0.0.0.0:273
(client invokes rsync localhost::)
2003.05.15 18:37:48 LOG7[5047:1024]: ssync accepted FD=4 from
192.168.0.3:38099 2003.05.15 18:37:48 LOG7[5049:1026]: ssync started
2003.05.15 18:37:48 LOG5[5049:1026]: ssync connected from
192.168.0.3:38099 2003.05.15 18:37:48 LOG7[5049:1026]: ssync connecting
127.0.0.1:873
(client times out)
2003.05.15 18:40:57 LOG3[5049:1026]: remote connect: Connection timed
out (110) 2003.05.15 18:40:57 LOG3[5049:1026]: Failed to initialize
remote file descriptor 2003.05.15 18:40:57 LOG7[5049:1026]: ssync
finished (0 left)
Client invocation of stunnel:
scully (client):~# stunnel -D7 -f -c -d rsync -r krycek:ssyncd -N ssync
LOG5[30962:1024]: Using 'ssync' as tcpwrapper service name
LOG7[30962:1024]: Snagged 64 random bytes from /root/.rnd
LOG7[30962:1024]: Wrote 1024 new random bytes to /root/.rnd
LOG7[30962:1024]: RAND_status claims sufficient entropy for the PRNG
LOG6[30962:1024]: PRNG seeded successfully
LOG5[30962:1024]: stunnel 3.14 on i586-suse-linux PTHREAD
LOG7[30962:1024]: Created pid file /var/run/stunnel/stunnel.ssync.pid
LOG7[30962:1024]: ssync bound to 0.0.0.0:873
(client invokes rsync localhost::)
LOG7[30971:1026]: ssync started
LOG5[30971:1026]: ssync connected from 127.0.0.1:38098
LOG7[30971:1026]: ssync connecting 192.168.0.6:273
LOG7[30971:1026]: Remote host connected
LOG7[30971:1026]: before/connect initialization
LOG7[30971:1026]: before/connect initialization
LOG7[30971:1026]: SSLv3 write client hello A
(client times out)
LOG7[30971:1026]: SSLv3 read server hello A
LOG3[30971:1026]: SSL_connect: error:00000000:lib(0):func(0):reason(0)
LOG7[30971:1026]: ssync finished (0 left)
Client invocation of rsync:
scully (client):~# rsync -vv localhost::
opening tcp connection to localhost port 873
(Times out after a couple minutes.)
rsync: read error: Connection reset by peer
rsync error: error in rsync protocol data stream (code 12)
stunnel.pem is in /etc/ssl/certs/ as dictated by
/usr/share/doc/stunnel/README.Debian on server.
Any thoughts? Anything else I can provide to help diagnose?
FYI, rsync krycek:: (rsync over normal 873 port) works just fine from the
client...
Thanks much,
Josh Trutwin
http://trutwins.homeip.net