Date: Thu, 19 Jul 2001 11:49:04 +0300 From: Peter Pentchev <roam@orbitel.bg> To: Brett Glass <brett@lariat.org> Cc: Alson van der Meulen <freebsd@alson.linuxfreak.nl>, security@FreeBSD.ORG Subject: Re: Piping and scripts with scp Message-ID: <20010719114904.B7129@ringworld.oblivion.bg> In-Reply-To: <4.3.2.7.2.20010718160356.04478100@localhost>; from brett@lariat.org on Wed, Jul 18, 2001 at 04:23:03PM -0600 References: <200107181959.NAA06459@lariat.org> <200107181959.NAA06459@lariat.org> <20010718220442.B15065@md2.mediadesign.nl> <4.3.2.7.2.20010718160356.04478100@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 18, 2001 at 04:23:03PM -0600, Brett Glass wrote: > At 02:04 PM 7/18/2001, Alson van der Meulen wrote: > > >You really should use RSA keys without passphrase for this, > > The problem with un-passphrased RSA keys is that they provide > no more security but create logistical problems. Since > the script will be run by cron as root, it means either > generating an un-passphrased key pair for root (not wise!) Wrong. You need to create an un-passphrased key that shall be *used* by root on the cron-running machine, but that shall authenticate a login as the *logging user* on the logging machine. The logging user need not be root (actually, it would be extremely unwise to log as root even using a password). The RSA key only authenticates a login if the key itself is added to the authorized_keys file. It does not need to be added to root's authorized_keys file on the cron-running machine just because root needs to use it. > and/or generating a special key pair for the script, which > is stored... where? In whose directory? There's no convention > for this, so the next admin who comes along will have to figure > out what's what. In a directory accessible by the user running the program which output you want logged - that is, in a directory readable by root on the cron-running machine. > Second, the RSA keys afford no additional > security, since if someone breaks root and gets the > un-passphrased key pair he's home free (just as if he'd plucked > an unencrypted password out of a batch file). Actually, there is additional security, if you're using OpenSSH on the logging machine. It is true that somebody breaking root gains access to the logging account in the password-authentication scenario, BUT if you use keys, you can specify on the logging machine that this key may only be used to run this particular command. Thus, even if anyone should break root and gain access to the key, all they would be able to do is append lines to the log. > So, overall, we > have a bunch more complexity and many more things to go wrong > with no security benefit. No more complexity than an ssh-keygen and adding an ASCII file to a .ssh/authorized_keys file. A great security benefit - see above (appending to a logfile versus getting a local shell on the logging machine). > BTW, from what people are telling me, scp doesn't allow data > to be piped into it (as does ftp), which means I have to > use ssh and invoke "cat" (or something similar) on the other > side. A bit awkward. Or as given in the message you replied to, ssh loghost dd of=logfile. > (Perhaps using "-" to mean standard input > or output should be allowed in scp, as it is in so many > other utilities. Or maybe the ftp "|" syntax could be used.... > The latter is more complex because scp would have to fork a > shell and execute the command as a data source/sink.) G'luck, Peter -- The rest of this sentence is written in Thailand, on To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010719114904.B7129>