On Sat, Apr 14, 2007 at 12:53:57PM +0300, Atis wrote: > On 4/14/07, Douglas Allan Tutty <[EMAIL PROTECTED]> wrote: > >In the past, to move config or script files from one box to another on > >my home network I've used scp or rsync. > > > >However, recent discussions on the list have pointed out that root login > >with ssh should not be allowed. > > > >How then to copy files that either only root can read or only root can > >place, or that need owner/permissions to be unchanged? > > > >I have sshd setup to only allow ssh based on pre-existing keys (no > >password login allowed), and it only listens on the local interface, and > >I've got shorewall running and doesn't allow ssh to/from the net. > > Well, the main idea behind "root login shouldn't be allowed" is, that > root is known to exist on every linux system, so bruteforcing is one > step easier (you already know username), plus if root gets > compromised, all the system gets. So, there shouldn't be simple way > how you can get root access with only one authentication. > > While private key seems to be ok, you should make sure the private key > is stored on furthest machine (so, if machine with public interface is > lost, you don't loose local machine automatically) > > But i'm thinking of a bit different scenario: > >From destination machine you can make key based ssh setup to access > source machine as limited user. On source machine setup sudo to allow > only one command (i.e. tar with some attribute-preserving parameters) > to be executed as root. tar file could be with mask 600 (so not > readable by other users). Then trough ssh transfer that tar file, and > decompress as root. > Drawbacks? If public machine get's compromised, it get's read access > to local machine.. but you got copy of it's config's on public machine > anyway. > > Regards, > Atis >
what I have done is allow root remote ssh access by key only and for specific keys which are used to do backups etc I further limit it by placing resetrictions on what commands are allow via ssh. look at command= for authorized_keys > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > >
signature.asc
Description: Digital signature
