Re: rsyncing via cron

To: debian-user@lists.debian.org
Subject: Re: rsyncing via cron
From: Vineet Kumar <vineet@doorstop.net>
Date: Wed, 17 Sep 2003 21:01:44 -0700
Message-id: <[🔎] 20030918040144.GA8619@doorstop.net>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20030918030713.GA2708@firman.us>
References: <[🔎] 200309171151.34233.s.wolber@buettner-dryer.com> <[🔎] 20030917170602.GB3506@firman.us> <[🔎] 20030917173005.GA14813@doorstop.net> <[🔎] 20030918030713.GA2708@firman.us>

* Andy Firman (list@firman.us) [030917 20:17]:
> On Wed, Sep 17, 2003 at 10:30:05AM -0700, Vineet Kumar wrote:
> > * Andy Firman (list@firman.us) [030917 10:18]:
> > > I have never used ssh-add but I am doing the same thing you are
> > > and I used this very nice how-to that you may find useful:
> > > 
> > > http://killyridols.net/rsyncssh.shtml
> > 
> > Careful with that one.  I just took a glance at it, and it recommends
> > using an unencrypted private key without a forced command on the remote
> > host's authorized_keys.  This isn't _all_ bad, but I'd say it could be
> > better, by adding some options in the remote host's authorized_keys to
> > prevent this key from being used for anything but rsync, and only from a
> > specified host.  I think I wrote up something about this on this list a
> > while back; try http://google.com/search?q=vineet+rsync+authorized_keys
> > .  If you can't find anything, let me know and I'll write it again.
> 
> I should have mentioned that I personally always do this "inside" a VPN tunnel.
> 
> Good point though...and thanks for the tip.  I never even thought
> about the key not being encrypted.
> 
> Some day when I can't use a VPN for some reason, I will look further
> into your recommendations.

Well the problem isn't the network, so a VPN doesn't help anything.  The
network traffic is still encrypted.  This key is used only for
authentication.  The danger is that if someone gets ahold of that file,
they have full root access on the remote machine.  Traditionally, a
private key has a passphrase, so that an attacker needs both the
encrypted private key file and the passphrase, especially for a key that
is authorized for root.  Using a forced command means that even if this
key falls into untrusted hands, they can't get a root shell with it.

This is really sort of a "belt and suspenders" thing.  Generally, for
most people, this type of security is good enough.  But sometimes it's
just worth doing right, for example if you're building this system on a
machine with some sub-100% trusted users.  If you're just talking about
your home network, you're probably fine.

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
"As we enjoy great advantages from inventions of others, we should be glad
of an opportunity to serve others by any invention of ours; and this we
should do freely and generously."  --Benjamin Franklin

Attachment: pgp5ffvYvDqX6.pgp
Description: PGP signature

Reply to:

References:
- rsyncing via cron
  - From: Stefan Wolber <s.wolber@buettner-dryer.com>
- Re: rsyncing via cron
  - From: Andy Firman <list@firman.us>
- Re: rsyncing via cron
  - From: Vineet Kumar <vineet@doorstop.net>
- Re: rsyncing via cron
  - From: Andy Firman <list@firman.us>

Prev by Date: Re: Creating an diskimage of a debian system
Next by Date: how to revert unstable package upgrade?
Previous by thread: Re: rsyncing via cron
Next by thread: Re: Which FS to use ? (formatting error)
Index(es):
- Date
- Thread