This is the protocol used for rsync --daemon; i.e. connections to port
873 rather than invocations over a remote shell.
-When the server accepts a connection, it prints a greeting
+When the server accepts a connection, it prints a newline-terminated
+greeting line:
- @RSYNCD: <version>.<subprotocol>
+ @RSYNCD: <version>.<subprotocol> <digest1> <digestN>
-where <version> is the numeric version (see PROTOCOL_VERSION in rsync.h)
-'.' is a literal period, and <subprotocol> is the numeric subprotocol
-version (see SUBPROTOCOL_VERSION -- it will be 0 for final releases).
-Protocols prior to 30 only output <version> alone. The daemon expects
-to see a similar greeting back from the client. For protocols prior to
-30, an absent ".<subprotocol>" value is assumed to be 0. For protocol
-30, an absent value is a fatal error. The daemon then follows this line
-with a free-format text message-of-the-day (if any is defined).
+The <version> is the numeric version (see PROTOCOL_VERSION in rsync.h)
+The <subprotocol> is the numeric subprotocol version (which is 0 for a
+final protocol version, as the SUBPROTOCOL_VERSION define discusses).
+The <digestN> names are the authentication digest algorithms that the
+daemon supports, listed in order of preference.
+
+An rsync prior to 3.2.7 omits the digest names. An rsync prior to 3.0.0
+also omits the period and the <subprotocol> value. Since a final
+protocol has a subprotocol value of 0, a missing subprotocol value is
+assumed to be 0 for any protocol prior to 30. It is considered a fatal
+error for protocol 30 and above to omit it. It is considered a fatal
+error for protocol 32 and above to omit the digest name list (currently
+31 is the newest protocol).
+
+The daemon expects to see a similar greeting line back from the client.
+Once received, the daemon follows the opening line with a free-format
+text message-of-the-day (if any is defined).
The server is now in the connected state. The client can either send
-the command
+the command:
#list
-to get a listing of modules, or the name of a module. After this, the
+(to get a listing of modules) or the name of a module. After this, the
connection is now bound to a particular module. Access per host for
this module is now checked, as is per-module connection limits.
-If authentication is required to use this module, the server will say
+If authentication is required to use this module, the server will say:
@RSYNCD: AUTHREQD <challenge>
where <challenge> is a random string of base64 characters. The client
-must respond with
+must respond with:
<user> <response>
-where <user> is the username they claim to be, and <response> is the
-base64 form of the MD4 hash of challenge+password.
+The <user> is the username they claim to be. The <response> is the
+base64 form of the digest hash of the challenge+password string. The
+chosen digest method is the most preferred client method that is also in
+the server's list. If no digest list was explicitly provided, the side
+expecting a list assumes the other side provided either the single name
+"md5" (for a negotiated protocol 30), or the single name "md4" (for an
+older protocol).
At this point the server applies all remaining constraints before
handing control to the client, including switching uid/gid, setting up
------------
Protocol version changes
+31 (2022-09-10, 3.2.7dev)
+
+ The use of a suffixed list of digest names was added as an
+ optional suffix to the greeting line.
+
30 (2007-10-04, 3.0.0pre1)
The use of a ".<subprotocol>" number was added to