How do I set-up secure automated file push and pull?
From: Anupam (frj780jdy85533001@sneakemail.com)Date: 04/20/02
- Previous message: John Rowan Littell: "Re: Looking for ftp over SSL (TLS) daemon..."
- Next in thread: Mark A. Hershberger: "Re: How do I set-up secure automated file push and pull?"
- Reply: Mark A. Hershberger: "Re: How do I set-up secure automated file push and pull?"
- Reply: Ken Herron: "Re: How do I set-up secure automated file push and pull?"
- Reply: Kurt Seifried: "Re: How do I set-up secure automated file push and pull?"
- Reply: George W. Capehart: "Re: How do I set-up secure automated file push and pull?"
- Reply: Reg Quinton: "Re: How do I set-up secure automated file push and pull?"
- Reply: Crist J. Clark: "Re: How do I set-up secure automated file push and pull?"
- Reply: Olaf Bohlen: "Re: How do I set-up secure automated file push and pull?"
- Reply: Rainer Peter Feller: "Re: How do I set-up secure automated file push and pull?"
- Reply: Jan-Philip Velders: "Re: How do I set-up secure automated file push and pull?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Anupam" <frj780jdy85533001@sneakemail.com> To: <focus-sun@securityfocus.com> Date: Fri, 19 Apr 2002 23:47:58 -0400
Guys and gals,
I am sure a lot of you face this issue. The previous thread about secure ftp
is very close to this issue.
Is there a 'safe' or 'established' way of setting up automatable file-push
and file-pull accounts. I have been scouting the various SUN mailing lists
and have found no definitive answers.
Example:
A secure server/important secure may want to:
- Pull log files at regular intervals of time from a less secure/important
server (File-Pull)
- Push log files to a less secure/important reporting server at regular
intervals of time (File-push)
Issues with these accounts/solutions:
- Ideally should be unable to login into the more secure machine.
- Should be unable to flood/over-flow a partition beyond a defined limit
(case of file-push).
- Should be have read-only access to files in a defined set of
directories/files (case of file-pull).
- Appropriate daemons must be easy to set-up securely.
- Should be able to set-up scripts which run without human intervention.
I can think of three possible solutions:
- Anonymous FTP account
- Anonymous SFTP account
- /usr/lib/rsh SSH account
1. Anonymous FTP account:
Pros:
+ Can not login to machine
+ Can be set-up to be read-only
+ Is scriptable/automatable.
Cons:
- FTPd :-) A few months ago on the list, proftpd/ncftpd were both mentioned
as secure and functional FTPds.
- Is it possible to set write limits to prevent flooding/overflow???
2. Anonymous SFTP account
Pros:
+ Can not login to machine
+ Can be set-up to be read-only
+ SSH is easier to set-up securely for me and the actual transfer is also
encrypted :-)
+ Is scriptable/automatable.
Cons:
- Is it possible to set write limits to prevent flooding/overflow???
- My understanding is that it is not provided/supported by OpenSSH, and not
provided by commercial F-Secure/SSH.com for Solaris.
3. SSH account
Pros:
+ Account with shell as /usr/lib/rsh and PATH="" is equivalent to denying
login to machine
+ Because of /usr/lib/rsh as account's shell, account will be unable to
write to standard o+w directories such as /tmp.
+ Along with use of quota, one can limit the amount of data written to
various file systems.
Cons:
- Difficult to restrict read access to rest of files system, all o+r files
are readable remotely. Might be easier to set-up on Trusted Solaris or on
Solaris 8 using RBAC (any input???)
- To set-up automated SSH one must use client side 'certificates' (not
really a con, but an issue)
QUESTIONS:
- Is my summary correct of the features and issues with the various options
correct?
- Are there any options I am missing?
Thanks,
- Anupam
- Previous message: John Rowan Littell: "Re: Looking for ftp over SSL (TLS) daemon..."
- Next in thread: Mark A. Hershberger: "Re: How do I set-up secure automated file push and pull?"
- Reply: Mark A. Hershberger: "Re: How do I set-up secure automated file push and pull?"
- Reply: Ken Herron: "Re: How do I set-up secure automated file push and pull?"
- Reply: Kurt Seifried: "Re: How do I set-up secure automated file push and pull?"
- Reply: George W. Capehart: "Re: How do I set-up secure automated file push and pull?"
- Reply: Reg Quinton: "Re: How do I set-up secure automated file push and pull?"
- Reply: Crist J. Clark: "Re: How do I set-up secure automated file push and pull?"
- Reply: Olaf Bohlen: "Re: How do I set-up secure automated file push and pull?"
- Reply: Rainer Peter Feller: "Re: How do I set-up secure automated file push and pull?"
- Reply: Jan-Philip Velders: "Re: How do I set-up secure automated file push and pull?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
