Ssh keys problem
Anne Wilson
cannewilson at tiscali.co.uk
Tue Mar 21 21:00:31 UTC 2006
On Tuesday 21 March 2006 20:46, Gordon Messmer wrote:
> Anne Wilson wrote:
> > I want it to be able to do a scripted rsync when I'm busy with something
> > else, so keys seem the best answer - certainly preferable to having
> > passwords in a plain text file.
>
> Yep, I do the same thing in a couple of places. To avoid using keys or
> agents that could be badly misused, I do this:
>
> 1) On the source machine (where the rsync is initiated), create an ssh key:
> $ ssh-keygen -t rsa
>
> 2) Assuming that I want to copy /export/example from the source host to
> another, I'd set up a cron job that would run:
> $ rsync -a -e ssh /export/example/ root at destination:/export/example/
>
> 3) On the destination host, I'd install the public key in the
> .ssh/authorized_keys file with the rsync "server" command specified
> (this should be just one line):
>
> command="rsync --server -logDtpr . /export/example/" ssh-rsa
> xxxxxxx-key-xxxxxx....
>
> rsync is a complex example. You have to make sure that the arguments
> match *exactly* on the source and destination hosts (adding the --server
> arg to the destination host). Note that -logDtpr is the same as -a.
>
> Most uses are more simple than that. If you're going to ssh to a
> machine to invoke any command, you can specify it in the command=""
> syntax rather than using an unrestricted key and specifying the command
> at the client. This process makes sure that if an attacker gets your
> key, he's only able to run the specific commands that the destination
> host is configured to allow. You should name your keys in such a way as
> to tie them to the command, logically, because you'll need one per
> automatic job that you create.
>
> This offers a very high level of defense, as opposed to creating either
> unrestricted keys, or using an untended ssh-agent (possibly with
> keychain). In either of those scenarios, if an attacker gets the client
> host, he'll have unrestricted access to the destination as well.
I've got commands now that work quite well, apart from getting the best
incantation for grabbing everything below /home/anne except a few listed
directories and all hidden files. I'm still working on that. I don't want
to have to do individual commands for directories, because if a new directory
was created it could get missed.
I've still a lot of reading to do, I think.
Anne
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20060321/dd9b66eb/attachment-0001.sig>
More information about the fedora-list
mailing list