Date: Wed, 18 Jul 2001 16:23:03 -0600 From: Brett Glass <brett@lariat.org> To: Alson van der Meulen <freebsd@alson.linuxfreak.nl>, security@FreeBSD.ORG Subject: Re: Piping and scripts with scp Message-ID: <4.3.2.7.2.20010718160356.04478100@localhost> In-Reply-To: <20010718220442.B15065@md2.mediadesign.nl> References: <200107181959.NAA06459@lariat.org> <200107181959.NAA06459@lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 02:04 PM 7/18/2001, Alson van der Meulen wrote: >You really should use RSA keys without passphrase for this, The problem with un-passphrased RSA keys is that they provide no more security but create logistical problems. Since the script will be run by cron as root, it means either generating an un-passphrased key pair for root (not wise!) and/or generating a special key pair for the script, which is stored... where? In whose directory? There's no convention for this, so the next admin who comes along will have to figure out what's what. Second, the RSA keys afford no additional security, since if someone breaks root and gets the un-passphrased key pair he's home free (just as if he'd plucked an unencrypted password out of a batch file). So, overall, we have a bunch more complexity and many more things to go wrong with no security benefit. BTW, from what people are telling me, scp doesn't allow data to be piped into it (as does ftp), which means I have to use ssh and invoke "cat" (or something similar) on the other side. A bit awkward. (Perhaps using "-" to mean standard input or output should be allowed in scp, as it is in so many other utilities. Or maybe the ftp "|" syntax could be used.... The latter is more complex because scp would have to fork a shell and execute the command as a data source/sink.) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20010718160356.04478100>