Date: Thu, 19 Jul 2001 11:56:13 +0300 From: Peter Pentchev <roam@orbitel.bg> To: Brett Glass <brett@lariat.org> Cc: Alson van der Meulen <freebsd@alson.linuxfreak.nl>, security@FreeBSD.ORG Subject: Re: Piping and scripts with scp Message-ID: <20010719115613.D7129@ringworld.oblivion.bg> In-Reply-To: <20010719114904.B7129@ringworld.oblivion.bg>; from roam@orbitel.bg on Thu, Jul 19, 2001 at 11:49:04AM %2B0300 References: <200107181959.NAA06459@lariat.org> <200107181959.NAA06459@lariat.org> <20010718220442.B15065@md2.mediadesign.nl> <4.3.2.7.2.20010718160356.04478100@localhost> <20010719114904.B7129@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jul 19, 2001 at 11:49:04AM +0300, Peter Pentchev wrote: > On Wed, Jul 18, 2001 at 04:23:03PM -0600, Brett Glass wrote: > > At 02:04 PM 7/18/2001, Alson van der Meulen wrote: > > > > >You really should use RSA keys without passphrase for this, > > > > The problem with un-passphrased RSA keys is that they provide > > no more security but create logistical problems. Since > > the script will be run by cron as root, it means either > > generating an un-passphrased key pair for root (not wise!) > > Wrong. You need to create an un-passphrased key that shall be *used* > by root on the cron-running machine, but that shall authenticate > a login as the *logging user* on the logging machine. The logging user > need not be root (actually, it would be extremely unwise to log as root > even using a password). The RSA key only authenticates a login if > the key itself is added to the authorized_keys file. It does not need > to be added to root's authorized_keys file on the cron-running machine > just because root needs to use it. And before anybody jumps in, actually it is the *public* portion of the key that needs to be added to the logging machine account's authorized_keys file; the private portion needs only reside on the log-generating machine. G'luck, Peter -- If this sentence didn't exist, somebody would have invented it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010719115613.D7129>