Date: Thu, 01 Jul 1999 02:22:41 -0700 From: "Robert Sowders" <rsowders@usgs.gov> To: cjc@cc942873-a.ewndsr1.nj.home.com, freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, cjclark@home.com Subject: Re: SSH Working Like rsh Message-ID: <s77ad111.078@usgs.gov>
next in thread | raw e-mail | index | archive | help
It doesn't look like anyones answered you yet. So I'll give it a try. Sorry for the long post but, what can I say? I assume you know the location of all ssh config=20 files. Note, fbsd 3.2 incorporates tcpwrappers by default and by default ssh is compiled with libwrap so you must make sure that your hosts.allow file is allowing=20 the connection between the two machines. If your=20 not running 3.2 or you don't have any hosts.allow or hosts.deny files then don't worry about it. First let me say that using password less logins will defeat part of the security of using ssh both with RhostsAuthentication and RhostsRSAAuthentication. With that said I have found that only the very elete can=20 leverage this into anything useful without a toehold already established on one of your machines. Make sure the sshd_config file on the=20 receiving machine allows root logins,=20 rhosts logins and RSA while we're at it. From here on It might be a good idea to=20 the same thing on both sending and receiving=20 machines so your script will work it's redirection. ( I haven't done that ) PermitRootLogin yes IgnoreRhosts no RhostsAuthentication yes RhostsRSAAuthentication yes Now kill and restart or HUP the sshd server. Place a .shosts file in the home directory of the receiving machine you wish to connect to=20 with the following line in the file somewhere. root@the.machine.your.coming.from Connect from the sending machine to the=20 receiving machine manually and accept the query to connect to the machine for the first time. Connect back to the sending machine=20 from the receiving machine just to be sure. The reason for this is so the known_host files will be writtian on both machines. After this the query will not appear. Now as root from the sending machine try to ssh to the receiving machine. If it still asks for=20 a passwd or RSA passphrase, try it again, but=20 this time on the receiving machine kill and restart=20 sshd with the -d switch so it will send the debug=20 output to the screen. Now from the sending machine=20 ssh to the receiving machine with the -v switch so it's verbose output is sent to the screen. The sending machine will tell you where it's failing and if you go to the receiving machine it will also=20 show you what's going on and hopefully this will=20 give you a clue about how to proceed. If you would like to do password less logins with RSA passphrase then you will need to do the=20 following. Be aware that the scary statements about null passphrased private key are there for a=20 good reason. If someone can steal your key or copy=20 it then they will have root on the receiving machine with no questions asked, but to do this from any=20 machine other than the one they stole it from is very=20 difficult and again they would have to have a toehold=20 on your machine to start with. So Caveot Emptor. In addition to the above, in the ssh_config uncomment the lines just to be sure, but it=20 should already be the default. RhostsAuthentication yes RhostsRSAAuthentication yes RSAAuthentication yes Now on each machine run the command ssh-keygen and when it asks for a passphrase just hit the enter key twice. Now transfer the=20 identity.pub file from each machine to the other renaming it authorized_keys and place it in the=20 .ssh directory in the home of root. Again run the server and client with the -d and -v=20 switches respectivly and watch the output for errors. If you can't get passwd less logins with RSA passphrase but .shosts works for you then you might try running a cron job and taring the files you need and then using=20 scp to move the files for you. Hope this helps. >>> "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> 6/30/99 10:00:52 = PM >>> As in the past (http://www.freebsd.org/cgi/getmsg.cgi?fetch=3D3815870+3818463+/usr/local/w= ww/db/text/1999/freebsd-questions/19990509.freebsd-questions), I seem to be having some trouble understanding the SSH manpages. I have two machines, lets call them hostA and hostB. hostA is a server and hostB is its backup. On a daily basis, I want to run a cron job on hostB that sucks up various files from hostA and then deposits them where they belong on hostB. Now, to me, the simple solution seemed to just use ssh (as I would have used rsh in past, simpler times), to do something like, ssh hostA "tar cf - $FILE_LIST" | tar xf - Where ssh runs a command on hostA and pipes the stdout over the net back to the stdin of a command on hostB. The ssh(1) manpage says, The second (and primary) authentication method is the rhosts or hosts.equiv method combined with RSA-based host authentication. It means that if the login would be per- mitted by .rhosts, .shosts, /etc/hosts.equiv, or /usr/local/etc/shosts.equiv, and additionally it can ver- ify the client's host key (see $HOME/.ssh/known_hosts and /usr/local/etc/ssh_known_hosts in the FILES section), only then login is permitted. This authentication method closes security holes due to IP spoofing, DNS spoofing and routing spoofing. [Note to the administrator: /etc/hosts.equiv, .rhosts, and the rlogin/rsh protocol in general, are inherently insecure and should be disabled if security is desired.] To me, it is saying that ssh should function like the rsh from the user's point of view. However, on hostA, I have placed hostB in the /etc/shost file, the user's .rhosts (root user), and made sure that the pub key for hostB is on hostA in /root/.ssh/known_hosts and /usr/local/etc/ssh_known_hosts, but I still get a request for a passphrase.=20 How do I set up ssh so it can run a ssh like this from a cronjob? Is the solution to give root a null passphrased private key? However, the documentation has the scary statement about 'do not use null passphrases unless you know what you are doing.' I do not know enough about what I am doing to ignore that warning for a root account. Thanks for any pointers. --=20 Crist J. Clark cjclark@home.com=20 To Unsubscribe: send mail to majordomo@FreeBSD.org=20 with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?s77ad111.078>