From owner-freebsd-security Wed Jul 18 15:54:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.mediadesign.nl (md2.mediadesign.nl [212.19.205.67]) by hub.freebsd.org (Postfix) with SMTP id 4B76237B405 for ; Wed, 18 Jul 2001 15:54:07 -0700 (PDT) (envelope-from alson@mediadesign.nl) Received: (qmail 17176 invoked by uid 1002); 18 Jul 2001 22:54:06 -0000 Date: Thu, 19 Jul 2001 00:54:06 +0200 From: Alson van der Meulen To: security@FreeBSD.ORG Subject: Re: Piping and scripts with scp Message-ID: <20010719005405.E15065@md2.mediadesign.nl> Mail-Followup-To: security@FreeBSD.ORG References: <200107181959.NAA06459@lariat.org> <200107181959.NAA06459@lariat.org> <4.3.2.7.2.20010718160356.04478100@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20010718160356.04478100@localhost> User-Agent: Mutt/1.3.18i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jul 18, 2001 at 04:23:03PM -0600, Brett Glass wrote: > At 02:04 PM 7/18/2001, Alson van der Meulen wrote: > > >You really should use RSA keys without passphrase for this, > > The problem with un-passphrased RSA keys is that they provide > no more security but create logistical problems. Since > the script will be run by cron as root, it means either > generating an un-passphrased key pair for root (not wise!) > and/or generating a special key pair for the script, which > is stored... where? In whose directory? There's no convention > for this, so the next admin who comes along will have to figure > out what's what. Second, the RSA keys afford no additional > security, since if someone breaks root and gets the > un-passphrased key pair he's home free (just as if he'd plucked > an unencrypted password out of a batch file). So, overall, we > have a bunch more complexity and many more things to go wrong > with no security benefit. ssh-keys arent more complex then passing passwords from a script to ssh, since ssh isn't designed to read passwords from stdin or some file. you can just document the location of the keypair in your script, and add it to the remote root's ./.ssh/authorized_keys, shouldn't be that complex imho.. > > BTW, from what people are telling me, scp doesn't allow data > to be piped into it (as does ftp), which means I have to > use ssh and invoke "cat" (or something similar) on the other > side. A bit awkward. (Perhaps using "-" to mean standard input > or output should be allowed in scp, as it is in so many > other utilities. Or maybe the ftp "|" syntax could be used.... > The latter is more complex because scp would have to fork a > shell and execute the command as a data source/sink.) scp actually does something like cat foo | ssh bar cat \> fo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message