[CLUE-Tech] rcp
Sean Reifschneider
jafo at tummy.com
Tue Sep 17 13:16:00 MDT 2002
On Tue, Sep 17, 2002 at 08:26:06AM -0600, Dale Hawkins wrote:
>$ ssh-keygen -t dsa
># Do not supply a pass phrase; just hit enter.
>
>$ cat ~/.ssh/id_dsa.pub | ssh <your-server-name-goes-here> cat \>\> .ssh/authorized_keys
The problem with this is that it allows unrestricted access to the other
machine. So, if one machine gets compromised, the other one is an easy
target as well.
There are a few things you can do to work around this.
AUTOMATIC SSH BACKUPS
OpenSSH provides the ability to specify a command associated with a key.
When that key is used for authentication, the SSH daemon will only allow
that command to be run. So, for example, you can modify the line in your
authorized_keys file so that it looks like:
command="id" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA2IX+[...]
jafo at guin.tummy.com
This way, when that key is used it will only allow the "id" command to be
run. For rsync, I usually run it manually, then in another session on the
remote end I do a "ps -awwlx | grep rsync" to find the command to list
above...
That way if one end gets compromised, it can only run the rsync command. A
fair bit safer...
SEMI-AUTOMATIC SSH
If you are firing off the rsync manually and don't want to enter the
password every time, you can use ssh-agent. ssh-agent holds SSH keys
unencrypted in a session for you. Run:
ssh-agent bash
ssh-add
Enter your key pass-phrase. Now if you do an "ssh user at remote", it won't
ask you for a passphrase. I use ssh-agent to start my X session
("ssh-agent startx"), so that I can have all my x terminal sessions able to
access the ssh agent.
I have also set up xautolock so that after 10 minutes of inactivity the ssh
agent will flush my keys and I have to re-enter them, as a measure of
safety.
Sean
--
You're only a programmer if you've stood under the program while the
scaffolding was being removed. -- Sean Reifschneider, 2001
Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995. Qmail, Python, SysAdmin
More information about the clue-tech
mailing list