Re: Best way to duplicate HDs--talk more about rsync+ssh system
- To: Patrick Hsieh <pahud@pahud.net>
- Cc: Ted Deppner <ted@psyber.com>, debian-isp@lists.debian.org, benko <benko@pahud.net>, jack <jack@pahud.net>, axa <axa@pahud.net>
- Subject: Re: Best way to duplicate HDs--talk more about rsync+ssh system
- From: Ted Deppner <ted@psyber.com>
- Date: Tue, 1 Jan 2002 23:47:53 -0800
- Message-id: <[🔎] 20020102074753.GB1318@dondra.ofc.psyber.com>
- Mail-followup-to: Patrick Hsieh <pahud@pahud.net>, Ted Deppner <ted@psyber.com>, debian-isp@lists.debian.org, benko <benko@pahud.net>, jack <jack@pahud.net>, axa <axa@pahud.net>
- Reply-to: Ted Deppner <ted@psyber.com>
- In-reply-to: <[🔎] 20020102114410.7934.PAHUD@pahud.net>
- References: <[🔎] 20020101133939.GA14689@zorka.com> <[🔎] 20020101193009.GA24922@dondra.ofc.psyber.com> <[🔎] 20020102114410.7934.PAHUD@pahud.net>
On Wed, Jan 02, 2002 at 03:15:20PM +0800, Patrick Hsieh wrote:
> I've read some doc. using ssh-keygen to generate key pairs, appending
> the public keys to ~/.ssh/authorized_hosts on another host to prevent
> ssh authentication prompt. Is it very risky? Chances are a cracker could
> compromise one machine and ssh login others without any authentication.
use ssh-keygen to generate a new key for *every* machine, and *every*
application you want to use. In the authorized_hosts section, you limit
what a single key can do by specifying a cmd that is run automatically...
in other words, use of the key executes only the command you want, and not
simply a shell.
That does not limit an attacker from exploiting whatever the passwordless
identity cmds you've setup, but they can't run rampant w/ root over an
entire machine.
--
Ted Deppner
http://www.psyber.com/~ted/
Reply to: