Re: How do I set-up secure automated file push and pull?

From: Jan-Philip Velders (jpv@veldersjes.net)
Date: 04/26/02


Date: Fri, 26 Apr 2002 08:42:59 +0200 (CEST)
From: Jan-Philip Velders <jpv@veldersjes.net>
To: Anupam <frj780jdy85533001@sneakemail.com>


> Date: Fri, 19 Apr 2002 23:47:58 -0400
> From: Anupam <frj780jdy85533001@sneakemail.com>
> To: focus-sun@securityfocus.com
> Subject: How do I set-up secure automated file push and pull?

> [ ... ]
> Is there a 'safe' or 'established' way of setting up automatable
> file-push and file-pull accounts. I have been scouting the various
> SUN mailing lists and have found no definitive answers.

"the way" depends mostly on the admin you encounter ;)

> [ ... secure push & pull ... ]

At work I use SSH in various setups:
1* with rdist (massive software distribution with all kinds of
   excludes, which rsync unfortunately isn't able to handle)
   (push)
2* with rsync (database dump backups, restricted to one dir)
   (push and pull setups)

ad 1.
probably unsuited for your environment... (needs twiddling with a
seperate sh-script because rdist can't pass on parameters to it's rsh
replacement) It uses SSH-authorized-keys stuff to only allow rdist
being executed at the remote end... Though if the sending machine is
(root) comprimised, it would allow the whole filesystem of the target
machine(s) to be overwritten... (known risk, and deemed "acceptable"
in this case :( )

NOTE: the standard SUN "rdist" only supports rsh, but there are two
      opensource alternatives based on the original BSD:
        http://www.magnicomp.com/download/rdist/rdist-6.1.5.tar.gz
        (which we use)
        ftp://ftp.astron.com/pub/freerdist/freerdist-0.92.tar.gz
        (which seems to be a continuation of the one above)

I setup a little shellscript which runs SSH:
        /path/to/ssh -a -x -C -1 -o Batchmode=yes -i /path/to/unencrypted/seperate/private/keyfile $*
(note the "$*", that way the rdist supplied extra parameters are also
passed on, but if you're using this for one host only, then you could
also pin it down ;) )
Then when running rdist, you supply a "-P /path/to/ssh/wrapper"
option, which has rdist using that script instead of rsh.
On the receiving machine(s) we set up an SSH authorized_keys file:
from="sendingmachine",command="/path/to/*our*/rdistd -S",no-pty,no-port-forwarding,no-agent-forwarding,no-X11-forwarding <KEY> <COMMENT>

We're disting a lot of (self-build) software in this way from our own
build-machine to a bunch of servers. Some need only the Solaris stuff
(for themselves), others need only the Linux stuff (for themselves)
and others need both (for themselves and for NFS clients)... ;)

ad 2.
I transfer some backups of our databases from the database account to
several locations and store them there. On the database machine a
regular cronjob executes rsync over ssh, and on the receiving machine
an SSH authorized_keys file allows only the database machine to
connect to an account, with only "that" key, and runs rsync with
parameters so it's *locked* to *my* settings (and path):
from="databasemachine",command="/usr/bin/rsync --server -vlogDtprz . /destinationpath/",no-pty,no-port-forwarding,no-agent-forwarding,no-X11-forwarding <KEY> <COMMENT>

the rsync command was deduced by replacing rsync with a little shell
script which echo'd it's parameters to something beneath /var/tmp ...

You can set it up to push and/or pull, but you'll need to twiddle a
bit... Also you can use rsync's abilities to move older files (which
it would like to delete or overwrite) into a seperate directory...

hope this helps you decide on what technique to use !
(and don't forget telling is ;) )

> Thanks,
> - Anupam

Regards,
JP Velders



Relevant Pages

  • Re: Detect a file upload, can I?
    ... Is your suggesting rsync so that the client can trigger the action ... > *pull* from his webserver or ftpserver rather than a push. ... rsync over SSH ...
    (comp.security.ssh)
  • Re: Algorithm for faster search in DataTable
    ... > the data adapter's Update method to push those claims into the ... > check in the database. ... > can use so that I cut down the number of loops? ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Functional GIT on F11 ?
    ... so the git User Manual is probably a good ... > IIRC pull over SSH worked but push did not, ... trying to just push to a remote repository set up elsewhere? ...
    (Fedora)
  • Re: synchronization between latops and a central server
    ... Can you give me a little more information about push merge subscriptions or maybe a link to a document that will help me to understand it better. ... Am very new to replication and would like to request some advice ... A copy of this database is also running ...
    (microsoft.public.sqlserver.replication)
  • Re: Crypto Fixes for 2.6.37
    ... How do you push to your ... repo, and what changed? ... Oops, I've fixed that now. ... I use rsync to copy files across so ...
    (Linux-Kernel)