Creating a Rsync GUI to Backup to a Remote Server

So I'm creating a backup GUI in Python which basically asks the user for their username/password and source directory so it can be rsynced over to a remote server. The only troubl开发者_运维知识库e I'm coming across is passing the password (entered in the GUI) to the server after I execute the command :

rsync -options source_path rsync_user@rsync_server:remote_path

Since I want the user to authenticate everytime they use the GUI I don't want to setup an automated ssh key session. I looked a bit into Pexpect and Paramiko but expect doesn't seem very secure and I wasn't sure how to configure Paramiko so I could rsync from the local computer to the remote server.

Basically I'm looking for a way to pass a password to the server (and trust the host) after the rsync command without any sort of terminal interaction (the purpose of the GUI).

Could you use this?

Some modules on the remote daemon may require authentication. If so, you will receive a password prompt when you connect. You can avoid the password prompt by setting the environment variable RSYNC_PASSWORD to the password you want to use or using the --password-file option. This may be useful when scripting rsync.

WARNING: On some systems environment variables are visible to all users. On those systems using --password-file is recommended.

From rsync(1).

First of all, it's awesome that you are doing this. There should be many more GUIs for rsync. I've written Truck - an rsync GUI app for Mac - using Python and Qt (PyQt). My chosen way of solving this problem was to generate a local keypair; save the private key locally; and append the public key to the remote host's authorized_keys files, like this:

  PRIV_KEY_PATH = "~/.ssh/private.key"
  if os.path.exists(PRIV_KEY_PATH):
        key = paramiko.RSAKey(filename=PRIV_KEY_PATH)
    else:
        touch(PRIV_KEY_PATH)
        key = paramiko.RSAKey.generate(bits=1024, progress_func=self.keygen_progress)
        key.write_private_key_file(PRIV_KEY_PATH)

    try:
        ftp_cli.chdir(".ssh")
        ftp_cli.chdir("..")
    except IOError:
        ftp_cli.mkdir(".ssh", mode=0o700)

    key_line = "{name} {key} {comment}".format(name=key.get_name(),
                                               key=key.get_base64(),
                                               comment="hello world")
    with ftp_cli.open(".ssh/authorized_keys", mode="a+") as fh:
        fh.seek(0)
        lines = fh.readlines() 
        if not key_line in lines:
            fh.write("\n" + key_line)
        fh.close()

Then, when you invoke rsync, pass it something like --rsh=ssh -i ~/.ssh/private.key.

In a few lines, you have configured a passwordless SSH login and utilised it to facilitate an rsync. Congratulations for choosing Python.

As you say you want the user to authenticate again when they next use your GUI, you'll have to consider this a temporary keyed session and clean up the authorized_keys file appropriately. I have also built a solution to this using Tkl and Expect and I would not recommend that route. Paramiko is secure unless you fudge your implementation. (P)Expect is not inherently insecure.

You might also consider setting up Paramiko as an SSH forwarding server but I have concerns about inhibiting rsync's performance by bottlenecking it through Paramiko. I think I'd prefer to use the machine's native SSH implementation.