Date: Thu, 28 Mar 2002 07:05:26 +1200 (NZST) From: Andrew McNaughton <andrew@scoop.co.nz> To: Fernan Aguero <fernan@iib.unsam.edu.ar> Cc: FreeBSD Security <freebsd-security@FreeBSD.ORG> Subject: Re: using ssh to run remote commands? Message-ID: <20020328063946.E95005-100000@a2> In-Reply-To: <20020327152947.B443@iib.unsam.edu.ar>
next in thread | previous in thread | raw e-mail | index | archive | help
From the client account:
1) unless you already have .ssh/identity you need to create it
ssh-keygen # unless you already have .ssh/identity
2) add to authorized keys on the server account
cat ~/.ssh/identity.pub | ssh user@remoteserver \
'cat >> ~/.ssh/authorized_keys'
Now you can log in without presenting a password, which is good for
scripts.
I'm not clear whether you want to be able to script things (meaning you
need to use keys rather than passowrds), but the example here basically
shows you how to pipe data from one machine to another.
In terms of security, your main concern is that if someone gets at your
backup server, they quickly get root access to everything you are going to
back up. If possible you should disable all remote login access to your
backup machine and manage backup and recovery from the console, and never
log in from the other end to transfer backup data.
You can have root on each machine connect to an un-priviledged acct on the
backup machine to store backups, but chances are high that access to the
data ammounts to a compromise anyway.
This snippet from one of my backup scripts (in perl) might be useful to
you:
------------- snip -------------
$compress_cmd = "gzip -c";
foreach $fs (keys %nickname) {
$dump_cmd = "dump -${level} -a -f - -u ${fs}";
$store_cmd = "ssh -c blowfish -l day2bak -e none orc " .
"'cat > /or1/day2_backup/dump_$nickname{$fs}_${level}.gz'";
$exitcode = system("$dump_cmd | $compress_cmd | $store_cmd");
}
------------- snip -------------
You'd want to add some error checking to this.
Andrew McNaughton
On Wed, 27 Mar 2002, Fernan Aguero wrote:
> Date: Wed, 27 Mar 2002 15:29:47 -0300
> From: Fernan Aguero <fernan@iib.unsam.edu.ar>
> To: FreeBSD Security <freebsd-security@FreeBSD.ORG>
> Subject: using ssh to run remote commands?
>
> I'd like to know how to run remote commands using ssh.
> I know I can do it as myself, but I'd like to know how can I set up my
> systems to allow non-login users (root, operator, amanda) to run
> remote commands on other hosts.
>
> Specifically, I want to now how can i run restore on the backup server
> (the one holding the tape drive) to recover full filesystems to a
> remote host.
> Obviously this should be done as either root or some other privileged
> user.
>
> All examples point to rsh, and I'd like to know if this can be done
> securely using ssh.
>
> Thanks in advance for any comments or pointers,
>
> Fernan
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020328063946.E95005-100000>