RE: SSH

To: <debian-user@lists.debian.org>
Subject: RE: SSH
From: "Jeremy Gaddis" <jlgaddis@blueriver.net>
Date: Mon, 16 Jul 2001 03:27:13 -0500
Message-id: <[🔎] NFBBJDAIMKFDLIMBEEOHAEBMCAAA.jeremy@home.lan>
In-reply-to: <[🔎] 20010716011735.B3329@doorstop.net>

Nick,

It's probably not what you wanna hear, but why not go for
something like NIS or LDAP?  My ISP has scripts that automatically
copy over /etc/{passwd,shadow,etc.} as they're updated on the
main machine, but this occasionally breaks and screws everything
up.  I've never played with NIS, but I have all authentication for
the Windows and Linux boxes here going through LDAP and it really
kicks ass.  I can administer users and groups either in the browser
(using PHP and HTTPS) or using an LDAP client on my desktop (NT) box.

pam_LDAP and OpenLDAP weren't that hard to get working together,
and once it is, it kicks ass.

j.

--
Jeremy L. Gaddis     <jlgaddis@blueriver.net>

-----Original Message-----
From: Vineet Kumar [mailto:debian-user@virtual.doorstop.net]
Sent: Monday, July 16, 2001 3:18 AM
To: debian-user@lists.debian.org
Subject: Re: SSH


* Nick Furman (nfurman@jlink.net) [010707 12:35]:
> I have a quick question regarding the secure server package and scp.
>
> I prefer not to use NIS to share the password file between two servers
so
> I wrote a script to push /etc/passwd to another server so they both
have
> duplicate copies when a user is added onto our system.
>
> Of course I am using scp to move the file over, but everytime a user
is
> added, it asks for the root user's password on the remote server.  Is
> there a way using .rhosts to disable the remote server from asking me
for
> a password so it just pushes /etc/passwd over, no questions asked?
>
> Thanks!
>
> Nick

Martin gives good advice, but if you want to do this via a script and
without a password required, you could set up something like the
following:

create a new RSA key with no passphrase. On the remote machine, add a
line something like this to /root/.ssh/authorized_keys2:

from="othermachine",commands="<script to add info to system
files>",no-port-forwarding,no-agent-forwarding,no-pty ssh-rsa <the key>

(Sorry, that's long because it needs to be all one line in the file).

The point is that you can create a key that will be accepted with no
passphrase restricted to connections from a certain host and forced to
perform a specific action. Also ensure that you have in
/etc/ssh/sshd_config:

PermitRootLogin forced-commands-only

Please, please, please understand what you're doing and gauge whether
your systems are secure enough and that this is acceptable risk.

Vineet

Reply to:

References:
- Re: SSH
  - From: Vineet Kumar <debian-user@virtual.doorstop.net>

Prev by Date: Re: is the apt version in tsting (0.5.3) reliable?
Next by Date: Re: Compaq Proliant 370 installation
Previous by thread: Re: SSH
Next by thread: Again: shutdown as user
Index(es):
- Date
- Thread