From owner-freebsd-security Wed Jun 30 21:59:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id A7D9A1559F; Wed, 30 Jun 1999 21:59:28 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.8.8) id BAA17307; Thu, 1 Jul 1999 01:00:52 -0400 (EDT) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199907010500.BAA17307@cc942873-a.ewndsr1.nj.home.com> Subject: SSH Working Like rsh To: freebsd-questions@FreeBSD.ORG (FreeBSD Questions), freebsd-security@FreeBSD.ORG Date: Thu, 1 Jul 1999 01:00:52 -0400 (EDT) Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As in the past (http://www.freebsd.org/cgi/getmsg.cgi?fetch=3815870+3818463+/usr/local/www/db/text/1999/freebsd-questions/19990509.freebsd-questions), I seem to be having some trouble understanding the SSH manpages. I have two machines, lets call them hostA and hostB. hostA is a server and hostB is its backup. On a daily basis, I want to run a cron job on hostB that sucks up various files from hostA and then deposits them where they belong on hostB. Now, to me, the simple solution seemed to just use ssh (as I would have used rsh in past, simpler times), to do something like, ssh hostA "tar cf - $FILE_LIST" | tar xf - Where ssh runs a command on hostA and pipes the stdout over the net back to the stdin of a command on hostB. The ssh(1) manpage says, The second (and primary) authentication method is the rhosts or hosts.equiv method combined with RSA-based host authentication. It means that if the login would be per- mitted by .rhosts, .shosts, /etc/hosts.equiv, or /usr/local/etc/shosts.equiv, and additionally it can ver- ify the client's host key (see $HOME/.ssh/known_hosts and /usr/local/etc/ssh_known_hosts in the FILES section), only then login is permitted. This authentication method closes security holes due to IP spoofing, DNS spoofing and routing spoofing. [Note to the administrator: /etc/hosts.equiv, .rhosts, and the rlogin/rsh protocol in general, are inherently insecure and should be disabled if security is desired.] To me, it is saying that ssh should function like the rsh from the user's point of view. However, on hostA, I have placed hostB in the /etc/shost file, the user's .rhosts (root user), and made sure that the pub key for hostB is on hostA in /root/.ssh/known_hosts and /usr/local/etc/ssh_known_hosts, but I still get a request for a passphrase. How do I set up ssh so it can run a ssh like this from a cronjob? Is the solution to give root a null passphrased private key? However, the documentation has the scary statement about 'do not use null passphrases unless you know what you are doing.' I do not know enough about what I am doing to ignore that warning for a root account. Thanks for any pointers. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message