From owner-freebsd-questions  Thu Jul  1  2:23:24 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from usgs.gov (igsmn002.wr.usgs.gov [130.118.41.22])
	by hub.freebsd.org (Postfix) with SMTP
	id 800FE15706; Thu,  1 Jul 1999 02:23:16 -0700 (PDT)
	(envelope-from rsowders@usgs.gov)
Received: from IGSMN-Message_Server by usgs.gov
	with Novell_GroupWise; Thu, 01 Jul 1999 02:23:13 -0700
Message-Id: <s77ad111.078@usgs.gov>
X-Mailer: Novell GroupWise 5.2
Date: Thu, 01 Jul 1999 02:22:41 -0700
From: "Robert Sowders" <rsowders@usgs.gov>
To: cjc@cc942873-a.ewndsr1.nj.home.com,
	freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG,
	cjclark@home.com
Subject: Re: SSH Working Like rsh
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

It doesn't look like anyones answered you yet.
So I'll give it a try.  Sorry for the long post but,
what can I say?

I assume you know the location of all ssh config=20
files.

Note, fbsd 3.2 incorporates tcpwrappers by default
and by default ssh is compiled with libwrap so you
must make sure that your hosts.allow file is allowing=20
the connection between the two machines.  If your=20
not running 3.2 or you don't have any hosts.allow or
hosts.deny files then don't worry about it.

First let me say that using password less logins
will defeat part of the security of using ssh both
with RhostsAuthentication and RhostsRSAAuthentication.
With that said I have found that only the very elete can=20
leverage this into anything useful without a toehold
already established on one of your machines.

Make sure the sshd_config file on the=20
receiving machine allows root logins,=20
rhosts logins and RSA while we're at it.
From here on It might be a good idea to=20
the same thing on both sending and receiving=20
machines so your script will work it's redirection.
( I haven't done that )

PermitRootLogin yes
IgnoreRhosts no
RhostsAuthentication yes
RhostsRSAAuthentication yes

Now kill and restart or HUP the sshd server.
Place a .shosts file in the home directory
of the receiving machine you wish to connect to=20
with the following line in the file somewhere.

root@the.machine.your.coming.from

Connect from the sending machine to the=20
receiving machine manually and accept the
query to connect to the machine for the first
time.  Connect back to the sending machine=20
from the receiving machine just to be sure.
The reason for this is so the known_host
files will be writtian on both machines.  After
this the query will not appear.

Now as root from the sending machine try to
ssh to the receiving machine.  If it still asks for=20
a passwd or RSA passphrase, try it again, but=20
this time on the receiving machine kill and restart=20
sshd with the -d switch so it will send the debug=20
output to the screen.  Now from the sending machine=20
ssh to the receiving machine with the -v switch
so it's verbose output is sent to the screen.
The sending machine will tell you where it's failing
and if you go to the receiving machine it will also=20
show you what's going on and hopefully this will=20
give you a clue about how to proceed.

If you would like to do password less logins with
RSA passphrase then you will need to do the=20
following.  Be aware that the scary statements
about null passphrased private key are there for a=20
good reason.  If someone can steal your key or copy=20
it then they will have root on the receiving machine
with no questions asked, but to do this from any=20
machine other than the one they stole it from is very=20
difficult and again they would have to have a toehold=20
on your machine to start with.
So Caveot Emptor.

In addition to the above, in the ssh_config
uncomment the lines just to be sure, but it=20
should already be the default.

RhostsAuthentication yes
RhostsRSAAuthentication yes
RSAAuthentication yes

Now on each machine run the command
ssh-keygen and when it asks for a passphrase
just hit the enter key twice.  Now transfer the=20
identity.pub file from each machine to the other
renaming it authorized_keys and place it in the=20
.ssh directory in the home of root.
Again run the server and client with the -d and -v=20
switches respectivly and watch the output for errors.

If you can't get passwd less logins with RSA passphrase
but .shosts works for you then you might try running
a cron job and taring the files you need and then using=20
scp to move the files for you.

Hope this helps.

>>> "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> 6/30/99 10:00:52 =
PM >>>
As in the past
(http://www.freebsd.org/cgi/getmsg.cgi?fetch=3D3815870+3818463+/usr/local/w=
ww/db/text/1999/freebsd-questions/19990509.freebsd-questions),
I seem to be having some trouble understanding the SSH manpages.

I have two machines, lets call them hostA and hostB. hostA is a server
and hostB is its backup. On a daily basis, I want to run a cron job
on hostB that sucks up various files from hostA and then deposits them
where they belong on hostB.

Now, to me, the simple solution seemed to just use ssh (as I would
have used rsh in past, simpler times), to do something like,

  ssh hostA "tar cf - $FILE_LIST" | tar xf -

Where ssh runs a command on hostA and pipes the stdout over the net
back to the stdin of a command on hostB.

The ssh(1) manpage says,

       The second (and  primary)  authentication  method  is  the
       rhosts  or hosts.equiv method combined with RSA-based host
       authentication.  It means that if the login would be  per-
       mitted   by   .rhosts,   .shosts,   /etc/hosts.equiv,   or
       /usr/local/etc/shosts.equiv, and additionally it can  ver-
       ify  the client's host key (see $HOME/.ssh/known_hosts and
       /usr/local/etc/ssh_known_hosts in the FILES section), only
       then  login  is  permitted.   This  authentication  method
       closes security holes due to IP spoofing, DNS spoofing and
       routing    spoofing.     [Note   to   the   administrator:
       /etc/hosts.equiv, .rhosts, and the rlogin/rsh protocol  in
       general, are inherently insecure and should be disabled if
       security is desired.]

To me, it is saying that ssh should function like the rsh from the
user's point of view. However, on hostA, I have placed hostB in the
/etc/shost file, the user's .rhosts (root user), and made sure that
the pub key for hostB is on hostA in /root/.ssh/known_hosts and
/usr/local/etc/ssh_known_hosts, but I still get a request for a
passphrase.=20

How do I set up ssh so it can run a ssh like this from a cronjob? Is
the solution to give root a null passphrased private key? However, the
documentation has the scary statement about 'do not use null
passphrases unless you know what you are doing.' I do not know enough
about what I am doing to ignore that warning for a root account.

Thanks for any pointers.
--=20
Crist J. Clark                           cjclark@home.com=20


To Unsubscribe: send mail to majordomo@FreeBSD.org=20
with "unsubscribe freebsd-questions" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message