From owner-freebsd-security  Mon Dec 10 11:22:19 2001
Delivered-To: freebsd-security@freebsd.org
Received: from zork.punq.net (punq.net [207.154.84.94])
	by hub.freebsd.org (Postfix) with SMTP id E298A37B41B
	for <freebsd-security@FreeBSD.ORG>; Mon, 10 Dec 2001 11:22:15 -0800 (PST)
Received: (qmail 83055 invoked by uid 1000); 10 Dec 2001 19:22:14 -0000
Date: Mon, 10 Dec 2001 11:22:14 -0800
From: Marcus Reid <marcus@blazingdot.com>
To: Marc Rassbach <marc@milestonerdl.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Rsync, ssh and using root.
Message-ID: <20011210112214.B82934@blazingdot.com>
References: <Pine.BSF.4.21.0112101218390.1117-100000@tandem.milestonerdl.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.21.0112101218390.1117-100000@tandem.milestonerdl.com>; from marc@milestonerdl.com on Mon, Dec 10, 2001 at 12:33:25PM -0600
Coffee-Level: high
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, Dec 10, 2001 at 12:33:25PM -0600, Marc Rassbach wrote:
>  
> I know that using remote root login is considered bad behavior, but 
> my job in implementation, not judgement of security.  This is what the
> client wants...put a hole in the default FreeBSD security.

Darn those clients..

> The client in the old days had a 3.5 box (2 of them) and used a
> combination of rsync, rsync in daemon mode, and ssh to allow root to move
> data between both machines.  
>  
> What was done under 3.5 (remote keys, etc la) no longer work on 4.4.
> On 4.X, it seems to fail after authencation, and I have spent 20+ hours
> reading man pages, and the mail list and can't find a good work around.  
> (I have resisted looking at the source becuase I do not feel it is a bug,
> nor do I wish to patch code to make this work)
>  
> What I am looking for is a way to have root-level privilages for 
> reading/writing files between servers as the lo-tech solution they want 
> for the 'server backup' is moving files once a day.

You could do better without much additional effort. Give the operator
user a home directory, make a dsa keypair for it, and use 'dump' across
the network as operator (with ssh.) You can always add 'restore' to the
pipeline if you need the files to be loose on the machine that's making
the backups. No use going all the way to root if operator can get its
hands on all of the data.

Marcus

>  
> Guidance as to how to do this with rsync (break securty) or some other
> method that does not break security is welcome.

-- 
Marcus L. Reid

Public Key ID DA2C3C46
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." - Benjamin Franklin, 1759

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message