Re: Piping and scripts with scp

From: Alson van der Meulen (freebsd@alson.linuxfreak.nl)
Date: 07/19/01 

Date: Thu, 19 Jul 2001 00:54:06 +0200
From: Alson van der Meulen <freebsd@alson.linuxfreak.nl>
To: security@FreeBSD.ORG

On Wed, Jul 18, 2001 at 04:23:03PM -0600, Brett Glass wrote:
> At 02:04 PM 7/18/2001, Alson van der Meulen wrote:
>
> >You really should use RSA keys without passphrase for this,
>
> The problem with un-passphrased RSA keys is that they provide
> no more security but create logistical problems. Since
> the script will be run by cron as root, it means either
> generating an un-passphrased key pair for root (not wise!)
> and/or generating a special key pair for the script, which
> is stored... where? In whose directory? There's no convention
> for this, so the next admin who comes along will have to figure
> out what's what. Second, the RSA keys afford no additional
> security, since if someone breaks root and gets the
> un-passphrased key pair he's home free (just as if he'd plucked
> an unencrypted password out of a batch file). So, overall, we
> have a bunch more complexity and many more things to go wrong
> with no security benefit.
ssh-keys arent more complex then passing passwords from a script to
ssh, since ssh isn't designed to read passwords from stdin or some
file. you can just document the location of the keypair in your
script, and add it to the remote root's ./.ssh/authorized_keys,
shouldn't be that complex imho..

>
> BTW, from what people are telling me, scp doesn't allow data
> to be piped into it (as does ftp), which means I have to
> use ssh and invoke "cat" (or something similar) on the other
> side. A bit awkward. (Perhaps using "-" to mean standard input
> or output should be allowed in scp, as it is in so many
> other utilities. Or maybe the ftp "|" syntax could be used....
> The latter is more complex because scp would have to fork a
> shell and execute the command as a data source/sink.)
scp actually does something like cat foo | ssh bar cat \> fo

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: Piping and scripts with scp
    ... The problem with un-passphrased RSA keys is that they provide ... generating an un-passphrased key pair for root ... un-passphrased key pair he's home free (just as if he'd plucked ... BTW, from what people are telling me, scp doesn't allow data ...
    (FreeBSD-Security)
  • Re: [Bulk] Re: Understanding Local Networking - help please?
    ... describe it in enough depth to say what exactly the problem is (my guess - you need to access the machine by using its DNS name or IP address, the "browsing the network neighborhood" doesn't even work all the time on a properly configured Windows network.) ... However, if its a relatively small amount of traffic between Linux machines, I would be more inclined to use ssh / scp / sftp. ... It takes a little effort to setup (generate RSA keys, copy the public key to the other machine*, etc.) It is very convenient once its setup. ...
    (Fedora)
  • Re: rsync over OpenSSH error
    ... Just recently, when trying to sync directories across machines, I've been ... I'm not an expert on rsync or ssh, but this looks like an error returned by ... Use RSA keys. ...
    (Ubuntu)
  • Re: pubkey authentication problem redhat linux openssh 2.9p2-12
    ... pubkey authentication work fine using ssh on Linux... ... i've generated both DSA and RSA keys using f-secure ssh key ...
    (comp.security.ssh)
  • Re: Which OS on old laptop?
    ... | An ssh connection takes forever to start, but afterwards, it's really ... OpenSSH takes *MUCH* longer to do the initial handshake ... if you use SSH v.2 DSA keys, so ... don't do that -- use SSH v.2 RSA keys instead. ...
    (comp.unix.bsd.freebsd.misc)
Loading