Re: How do I set-up secure automated file push and pull?

From: Jan-Philip Velders (jpv@veldersjes.net)
Date: 04/26/02


Date: Fri, 26 Apr 2002 08:42:59 +0200 (CEST)
From: Jan-Philip Velders <jpv@veldersjes.net>
To: Anupam <frj780jdy85533001@sneakemail.com>


> Date: Fri, 19 Apr 2002 23:47:58 -0400
> From: Anupam <frj780jdy85533001@sneakemail.com>
> To: focus-sun@securityfocus.com
> Subject: How do I set-up secure automated file push and pull?

> [ ... ]
> Is there a 'safe' or 'established' way of setting up automatable
> file-push and file-pull accounts. I have been scouting the various
> SUN mailing lists and have found no definitive answers.

"the way" depends mostly on the admin you encounter ;)

> [ ... secure push & pull ... ]

At work I use SSH in various setups:
1* with rdist (massive software distribution with all kinds of
   excludes, which rsync unfortunately isn't able to handle)
   (push)
2* with rsync (database dump backups, restricted to one dir)
   (push and pull setups)

ad 1.
probably unsuited for your environment... (needs twiddling with a
seperate sh-script because rdist can't pass on parameters to it's rsh
replacement) It uses SSH-authorized-keys stuff to only allow rdist
being executed at the remote end... Though if the sending machine is
(root) comprimised, it would allow the whole filesystem of the target
machine(s) to be overwritten... (known risk, and deemed "acceptable"
in this case :( )

NOTE: the standard SUN "rdist" only supports rsh, but there are two
      opensource alternatives based on the original BSD:
        http://www.magnicomp.com/download/rdist/rdist-6.1.5.tar.gz
        (which we use)
        ftp://ftp.astron.com/pub/freerdist/freerdist-0.92.tar.gz
        (which seems to be a continuation of the one above)

I setup a little shellscript which runs SSH:
        /path/to/ssh -a -x -C -1 -o Batchmode=yes -i /path/to/unencrypted/seperate/private/keyfile $*
(note the "$*", that way the rdist supplied extra parameters are also
passed on, but if you're using this for one host only, then you could
also pin it down ;) )
Then when running rdist, you supply a "-P /path/to/ssh/wrapper"
option, which has rdist using that script instead of rsh.
On the receiving machine(s) we set up an SSH authorized_keys file:
from="sendingmachine",command="/path/to/*our*/rdistd -S",no-pty,no-port-forwarding,no-agent-forwarding,no-X11-forwarding <KEY> <COMMENT>

We're disting a lot of (self-build) software in this way from our own
build-machine to a bunch of servers. Some need only the Solaris stuff
(for themselves), others need only the Linux stuff (for themselves)
and others need both (for themselves and for NFS clients)... ;)

ad 2.
I transfer some backups of our databases from the database account to
several locations and store them there. On the database machine a
regular cronjob executes rsync over ssh, and on the receiving machine
an SSH authorized_keys file allows only the database machine to
connect to an account, with only "that" key, and runs rsync with
parameters so it's *locked* to *my* settings (and path):
from="databasemachine",command="/usr/bin/rsync --server -vlogDtprz . /destinationpath/",no-pty,no-port-forwarding,no-agent-forwarding,no-X11-forwarding <KEY> <COMMENT>

the rsync command was deduced by replacing rsync with a little shell
script which echo'd it's parameters to something beneath /var/tmp ...

You can set it up to push and/or pull, but you'll need to twiddle a
bit... Also you can use rsync's abilities to move older files (which
it would like to delete or overwrite) into a seperate directory...

hope this helps you decide on what technique to use !
(and don't forget telling is ;) )

> Thanks,
> - Anupam

Regards,
JP Velders