[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Disabling encryption for internal network
|
From: |
EricZolf |
|
Subject: |
Re: Disabling encryption for internal network |
|
Date: |
Sat, 4 Apr 2020 08:30:42 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0 |
Hi,
first, I would strictly disagree that any network is safe enough to not
use encryption. If your only security is one firewall, you should assume
that someone will break it at some point in time and then your whole
network would be opened to the enemy. The enemy being possibly a
disgruntled employee. So, don't do this, unless your data and the backup
server (see below) is really worthless, but then why do you backup the
data in the first place?
This said, you're a big boy (or girl) and can make the mistakes you
want, and the principle can be of interest to others for better objectives.
The default remote schema is `ssh -C %s rdiff-backup --server` and `%s`
will be replaced by whatever you place before the double column `::` in
the source or target (typically `user@host` but it can be anything,
rdiff-backup doesn't check).
Now, the only important requirement for the resulting command is that it
has encumbered stdin and stdout because this is how rdiff-backup talks
to `rdiff-backup --server` (i.e. anything in between sending messages
like `welcome you're unsecure` would break the communication, unless it
is sent on stderr).
Knowing all this, calling something like `rdiff-backup --remote-schema
'rsh %s rdiff-backup --server' /sourcedir somehost::/targetdir` should
work, assuming same user on source and target. Because rsh doesn't know
about `user@host`, you would need to write your own wrapper script to
split it and make use of the `-l` option on rsh.
It's been so long I've used rsh though, I can't remember how the login
mechanism works. If the password goes over the line, it's unencrypted,
meaning you've just offered your backup server to any bad person lurking
on your network.
Other insecure commands are rlogin and telnet, don't use them, stick to
SSH or be prepared to be hacked, sooner or later.
KR, Eric
PS: for the others, check the OpenSSL performance of Raspi 3, not good:
https://libre.computer/2018/03/21/raspberry-pi-3-model-b-review-and-comparison/
and Raspi 4 doesn't seem better in this regard...
On 03/04/2020 18:18, Dark Empathy wrote:
> Hi,
>
> Please excuse the simple question, but I am unable to work out what to do
> from the man page alone.
>
> What is a way to disable encryption for an internal network, where it is
> not required? (Linux to Linux). Is this possible with perhaps a rsync
> server and --remote-schema?
>
> I have a situation where we have data on Raspberry Pi 3's. spread over a
> private WAN. Data security, in this particular case, is of zero
> importance. However, I would prefer not to disable encryption on the SSH
> server.
>
> Are there any suggestions to run rdiff-backup at maximum speed, no
> encryption, on an internal network?
>
> Thankyou kindly.
>