From owner-freebsd-security  Thu Jul 19  1:52: 8 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.39])
	by hub.freebsd.org (Postfix) with SMTP id 47F7337B401
	for <security@FreeBSD.ORG>; Thu, 19 Jul 2001 01:52:02 -0700 (PDT)
	(envelope-from roam@orbitel.bg)
Received: (qmail 7865 invoked by uid 1000); 19 Jul 2001 08:56:13 -0000
Date: Thu, 19 Jul 2001 11:56:13 +0300
From: Peter Pentchev <roam@orbitel.bg>
To: Brett Glass <brett@lariat.org>
Cc: Alson van der Meulen <freebsd@alson.linuxfreak.nl>,
	security@FreeBSD.ORG
Subject: Re: Piping and scripts with scp
Message-ID: <20010719115613.D7129@ringworld.oblivion.bg>
Mail-Followup-To: Brett Glass <brett@lariat.org>,
	Alson van der Meulen <freebsd@alson.linuxfreak.nl>,
	security@FreeBSD.ORG
References: <200107181959.NAA06459@lariat.org> <200107181959.NAA06459@lariat.org> <20010718220442.B15065@md2.mediadesign.nl> <4.3.2.7.2.20010718160356.04478100@localhost> <20010719114904.B7129@ringworld.oblivion.bg>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010719114904.B7129@ringworld.oblivion.bg>; from roam@orbitel.bg on Thu, Jul 19, 2001 at 11:49:04AM +0300
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thu, Jul 19, 2001 at 11:49:04AM +0300, Peter Pentchev wrote:
> On Wed, Jul 18, 2001 at 04:23:03PM -0600, Brett Glass wrote:
> > At 02:04 PM 7/18/2001, Alson van der Meulen wrote:
> > 
> > >You really should use RSA keys without passphrase for this, 
> > 
> > The problem with un-passphrased RSA keys is that they provide
> > no more security but create logistical problems. Since
> > the script will be run by cron as root, it means either 
> > generating an un-passphrased key pair for root (not wise!)
> 
> Wrong.  You need to create an un-passphrased key that shall be *used*
> by root on the cron-running machine, but that shall authenticate
> a login as the *logging user* on the logging machine.  The logging user
> need not be root (actually, it would be extremely unwise to log as root
> even using a password).  The RSA key only authenticates a login if
> the key itself is added to the authorized_keys file.  It does not need
> to be added to root's authorized_keys file on the cron-running machine
> just because root needs to use it.

And before anybody jumps in, actually it is the *public* portion of
the key that needs to be added to the logging machine account's
authorized_keys file; the private portion needs only reside on
the log-generating machine.

G'luck,
Peter

-- 
If this sentence didn't exist, somebody would have invented it.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message