From owner-freebsd-security  Mon Dec 10 13:26:21 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ldc.ro (ldc-gw.rdsnet.ro [213.157.163.8])
	by hub.freebsd.org (Postfix) with SMTP id 07ECC37B416
	for <freebsd-security@FreeBSD.ORG>; Mon, 10 Dec 2001 13:26:15 -0800 (PST)
Received: (qmail 9848 invoked by uid 666); 10 Dec 2001 21:26:12 -0000
Date: Mon, 10 Dec 2001 23:26:12 +0200
From: Alex Popa <razor@ldc.ro>
To: Marc Rassbach <marc@milestonerdl.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Rsync, ssh and using root.
Message-ID: <20011210232612.A56872@ldc.ro>
References: <Pine.BSF.4.21.0112101218390.1117-100000@tandem.milestonerdl.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.21.0112101218390.1117-100000@tandem.milestonerdl.com>; from marc@milestonerdl.com on Mon, Dec 10, 2001 at 12:33:25PM -0600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, Dec 10, 2001 at 12:33:25PM -0600, Marc Rassbach wrote:
>  
> I know that using remote root login is considered bad behavior, but 
> my job in implementation, not judgement of security.  This is what the
> client wants...put a hole in the default FreeBSD security.
>  
> The client in the old days had a 3.5 box (2 of them) and used a
> combination of rsync, rsync in daemon mode, and ssh to allow root to move
> data between both machines.  
>  
> What was done under 3.5 (remote keys, etc la) no longer work on 4.4.
> On 4.X, it seems to fail after authencation, and I have spent 20+ hours
> reading man pages, and the mail list and can't find a good work around.  
> (I have resisted looking at the source becuase I do not feel it is a bug,
> nor do I wish to patch code to make this work)
>  
> What I am looking for is a way to have root-level privilages for 
> reading/writing files between servers as the lo-tech solution they want 
> for the 'server backup' is moving files once a day.
>  
> Guidance as to how to do this with rsync (break securty) or some other
> method that does not break security is welcome.
>  
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

Well, the most important change I can think of, which might be what is
keeping you from using your old ssh keys, is that (please correct me if
I am wrong) the default protocol for SSH in FreeBSD 4.4 is version 2.

Thus you will need a pair of DSA keys for passwordless scp, or the line
"Protocol 1,2" in one of /etc/ssh/sshd_config or /etc/ssh/ssh_config. (I
would prefer sshd_config, or better, generating dsa keys and putting the
public one in .ssh/authorized_keys2 on the remote machine)

HTH
	Alex

------------+------------------------------------------
Alex Popa,  |  "Artificial Intelligence is
razor@ldc.ro|         no match for Natural Stupidity"
------------+------------------------------------------
"It took the computing power of three C-64s to fly to the Moon.
It takes a 486 to run Windows 95. Something is wrong here."

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message