[SOLVED] Rsync: Is it smarter to push, or smarter to pull?

bubnoff · 09-01-2009, 03:59 PM

I've heard some time ago that you should always pull from
the destination rather than push from the source. Can't recall
the reasoning ...seems that there would be risk involved either way.

Like many of you, I am syncing to a web server and am just curious
as to which method you choose and why.

I am using this command on a cron job:

Code:

rsync -az -e ssh --delete ~/goodies/* fakeuser@fakehost:/webroot/blah/

Should I be pulling from the server instead of pushing from the client?

Also, what is your take on passphrase-less keys a la ssh-keygen?

This maneuver has to be scripted as the content is auto-generated from
a database and refreshed every Monday. If you know of a more secure way
to script/schedule this without using passphrase-less ssh keys or some
clumsy expect script, your advice would be much appreciated.

Thanks for reading!

Bub

anomie · 09-01-2009, 04:05 PM

Quote:

Originally Posted by bubnoff

Should I be pulling from the server instead of pushing from the client?

Whether pushing or pulling, the source should be the volatile (changing) directory. Also, do not select a destination that you can't afford to lose data on if you're using rsync's --delete option.

Quote:

Originally Posted by bubnoff

Also, what is your take on passphrase-less keys a la ssh-keygen?

They're handy and I use them. Keep the host / account that has access to the private keys safe.

bubnoff · 09-01-2009, 05:30 PM

Thanks, I'll ditch the --delete option.

One last question; other than rsync only syncing changes, does it have other advantages over scp?

These are small files to begin with.

Thanks!

Bub

ShadowCat8 · 09-01-2009, 05:42 PM

Well, IMHO, rsync is a *lot* more fault-tolerant from a network end than scp is. If you lose a few packets from an rsync transfer, or even take a full network-hiccup, the rsync will hold it's session and be able to continue it's transfer if the network comes back before it's full timeout is reached.

Scp tends to error directly out if the connection is broken at any time. (At least that is my experience.)

HTH.

unixfool · 09-02-2009, 11:54 PM

Quote:

Originally Posted by bubnoff

Also, what is your take on passphrase-less keys a la ssh-keygen?

http://www.debian-administration.org/articles/152

http://www.mikehan.com/ssh/advanced.html (Keys without Passphrases section)

http://blogs.verilab.com/partain/200...sword-rap.html (summary at the bottom of the page)

This is a big no-no and goes against basic security. SSH is only as safe as the private key. If that doesn't have a passphrase and someone gains a copy, they've the keys to the kingdom, provided they know which door it goes to (then again, if they've gained your key, they probably have an inkling of where to use it). A lot of people take the easy way out by not using passphrases on their keys, instead of using ssh-agent. IMO, ssh-agent is the better way...it was created to assist in remote access without having to always enter a passphrase.

bubnoff · 09-03-2009, 02:27 PM

Thanks! I will look into using the ssh-agent.

Bub