Hacker News new | past | comments | ask | show | jobs | submit login

There's something I am missing here. I sync my servers with rsync, but it is over ssh - is this still vulnerable?



If you explicitly use "-e ssh" and don't run a daemon, then these probably don't affect you.

If you don't specify that protocol, though, you have three scenarios:

1. only the local host has the rsync binary 2. both local and remote hosts have the binary, but neither runs them as a daemon 3. both have the binary and the remote runs as the daemon

In #1 you end up using SSH anyway (unless there's also no SSH binary). In #2, a malicious server binary could attack you. In #3, a malicious server binary could attack you.

Also, many of rsync's features rely upon both sides having the binary.


Wow, thank you - this is exactly what I didn't get. You explained it super well.

I am number 2, and so I guess it wont affect me as long as the fingerprint doesn't change to a malicious server that have taken over an IP.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: