On Fri, Feb 6, 2009 at 5:28 PM, Robert Dailey <[email protected]> wrote: > On Fri, Feb 6, 2009 at 4:05 PM, Derek Martin <[email protected]> wrote: >> >> On Fri, Feb 06, 2009 at 03:03:25PM -0600, Robert Dailey wrote: >> > I've read the docs (man pages) for >> > rssh<http://www.digipedia.pl/man/rssh.1.html>and >> > rssh.conf <http://www.digipedia.pl/man/rssh.conf.5.html>, however I am >> > at a >> > stopping point. I really don't know enough about linux, rssh, or ssh to >> > be >> > able to diagnose these problems by myself. So while it is easy to tell >> > someone to reference the docs, that's not always the appropriate >> > solution to >> > all questions. >> >> In this case, it most definitely is. The man pages are not the only >> docs... in fact both man pages refer to the document you need to read. >> Please understand, if it seems like I'm stubbornly refusing to answer >> your questions, it's because the answers are extremely long and >> complicated, and I have already done so -- in painstaking detail -- in >> the documentation provided with rssh. Please see these FAQ entries, >> which directly address the questions you're asking here: >> >> http://www.pizzashack.org/rssh/faq.shtml#6 >> >> http://www.pizzashack.org/rssh/faq.shtml#9 >> >> Any information I could give you is already spelled out in the CHROOT >> documentation file provided with rssh, which is discussed in these two >> faq entries, and also discussed in both man pages. >> >> I do apologize that the website is currently broken (it's not parsing >> shtml properly). However it seems you found the FAQ (you said you >> read it), and those questions are answered there... Once you've read >> the appropriate docs, if you can ask clear, intelligent questions >> about what you still don't understand, I'm sure I or someone would be >> happy to answer them. >> >> One last note: SECURITY IS HARD, AND MUST NOT BE TAKEN LIGHTLY. The >> purpose of rssh is to greatly improve one particular aspect of the >> security of your system, as a part of a much greater whole security >> solution involving lots of other moving parts. However, if you don't >> know much about Linux, SSH, and rssh, then you will almost certainly >> fail to achieve that goal. If you really want to make sure you're >> acheiving your goal of securing your system, I think you should plan >> to spend several hours carefully and thoroughly reading all of the >> docs for SSH, and rssh, and then get yourself a good book on Linux >> security, and read it cover to cover. Twice. ;-) (Though, I'm only >> half-kidding about reading it twice...) >> >> People often complain that I'm being unnecessarily harsh when I make >> posts like this... believing they're an attempt to put people >> down or something. But that's not the case at all... I'm simply >> trying to warn you in very plain language that you are playing with >> fire. How big the fire is depends on how sensitive your data is... >> If you implement a security solution too hastily, wihtout >> understanding it, you will definitely get burned. >> >> I'm NOT trying to suggest that if you don't understand this stuff from >> the beginning, you're a moron (as some people seem to think). >> Instead, I'm telling you flat out that if you don't take the time to >> really learn how this stuff works, you probably won't get it right. >> Scanning the man page for a couple of minutes isn't going to cut it... >> You may even need to read and reread all the docs several times, and >> then seek out additional information to explain the stuff you still >> didn't understand. That's just the way it is when you're dealing with >> security. > > Thanks for taking the time to explain everything. I think the problem is > that I want this to be simple. I want to allow a specific person to use a > portion of my hard drive for their personal backup, and SCP comes to mind as > the first solution. They basically have a script that they set up in a cron > job that automatically uploads backed up archives to my server. SCP is a > good way to do this but I have the additional security issue of them being > able to log into my server via SSH and view my entire server's filesystem. > > Perhaps SSH is the wrong tool for the wrong job here. Would you recommend > any simpler, more focused solutions? I realize this is getting a bit > off-topic now but I hope you won't mind. I'll be honest with you, I'm not > that interested in learning SSH, RSSH, and whatever else in that kind of > detail. In practice I'd forget all the information anyway since I don't use > that knowledge on a daily basis. > > Just so you know I did not take offense in your responses to my inquiries. > In fact, I completely agree with you telling people to read documentation > since it makes you less redundant. I was just hinting at possibly providing > some URLs (Which you so kindly provided at the end). > > In any case, it seems RSSH is not the right tool for the right job in my > case. I guess the last step is to figure out what *is* the right tool. I > just need something simple and secure. I know that FTP would work perfectly > as far as the simple part goes, because you can explicitly designate access > to certain directories on your filesystem. However as we all know it is very > INSECURE. Maybe FTP is the answer? I'm not sure if you could upload files to > an FTP server in a script easily without any human interaction. > > ------------------------------------------------------------------------------ > Create and Deploy Rich Internet Apps outside the browser with > Adobe(R)AIR(TM) > software. With Adobe AIR, Ajax developers can use existing skills and code > to > build responsive, highly engaging applications that combine the power of > local > resources and data with the reach of the web. Download the Adobe AIR SDK and > Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com > _______________________________________________ > rssh-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/rssh-discuss > >
Yeah, Robert, even before this whole exchange unfolded I felt motivated to say that you're jumping into the deep end with chrooting. Derek summed up the issues of security nicely. For what you're trying to accomplish, you might want to look at changing the user's login shell to scponly. Rich(ard) -- Richard Edward Horner Engineer / Composer / Electric Guitar Virtuoso http://richhorner.com ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com _______________________________________________ rssh-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rssh-discuss
