Date: Mon, 10 Dec 2001 23:26:12 +0200 From: Alex Popa <razor@ldc.ro> To: Marc Rassbach <marc@milestonerdl.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Rsync, ssh and using root. Message-ID: <20011210232612.A56872@ldc.ro> In-Reply-To: <Pine.BSF.4.21.0112101218390.1117-100000@tandem.milestonerdl.com>; from marc@milestonerdl.com on Mon, Dec 10, 2001 at 12:33:25PM -0600 References: <Pine.BSF.4.21.0112101218390.1117-100000@tandem.milestonerdl.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 10, 2001 at 12:33:25PM -0600, Marc Rassbach wrote: > > I know that using remote root login is considered bad behavior, but > my job in implementation, not judgement of security. This is what the > client wants...put a hole in the default FreeBSD security. > > The client in the old days had a 3.5 box (2 of them) and used a > combination of rsync, rsync in daemon mode, and ssh to allow root to move > data between both machines. > > What was done under 3.5 (remote keys, etc la) no longer work on 4.4. > On 4.X, it seems to fail after authencation, and I have spent 20+ hours > reading man pages, and the mail list and can't find a good work around. > (I have resisted looking at the source becuase I do not feel it is a bug, > nor do I wish to patch code to make this work) > > What I am looking for is a way to have root-level privilages for > reading/writing files between servers as the lo-tech solution they want > for the 'server backup' is moving files once a day. > > Guidance as to how to do this with rsync (break securty) or some other > method that does not break security is welcome. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Well, the most important change I can think of, which might be what is keeping you from using your old ssh keys, is that (please correct me if I am wrong) the default protocol for SSH in FreeBSD 4.4 is version 2. Thus you will need a pair of DSA keys for passwordless scp, or the line "Protocol 1,2" in one of /etc/ssh/sshd_config or /etc/ssh/ssh_config. (I would prefer sshd_config, or better, generating dsa keys and putting the public one in .ssh/authorized_keys2 on the remote machine) HTH Alex ------------+------------------------------------------ Alex Popa, | "Artificial Intelligence is razor@ldc.ro| no match for Natural Stupidity" ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011210232612.A56872>