Re: how to scp from one box to another with no root ssh?
On 4/14/07, Douglas Allan Tutty <dtutty@porchlight.ca> wrote:
In the past, to move config or script files from one box to another on
my home network I've used scp or rsync.
However, recent discussions on the list have pointed out that root login
with ssh should not be allowed.
How then to copy files that either only root can read or only root can
place, or that need owner/permissions to be unchanged?
I have sshd setup to only allow ssh based on pre-existing keys (no
password login allowed), and it only listens on the local interface, and
I've got shorewall running and doesn't allow ssh to/from the net.
Well, the main idea behind "root login shouldn't be allowed" is, that
root is known to exist on every linux system, so bruteforcing is one
step easier (you already know username), plus if root gets
compromised, all the system gets. So, there shouldn't be simple way
how you can get root access with only one authentication.
While private key seems to be ok, you should make sure the private key
is stored on furthest machine (so, if machine with public interface is
lost, you don't loose local machine automatically)
But i'm thinking of a bit different scenario:
From destination machine you can make key based ssh setup to access
source machine as limited user. On source machine setup sudo to allow
only one command (i.e. tar with some attribute-preserving parameters)
to be executed as root. tar file could be with mask 600 (so not
readable by other users). Then trough ssh transfer that tar file, and
decompress as root.
Drawbacks? If public machine get's compromised, it get's read access
to local machine.. but you got copy of it's config's on public machine
anyway.
Regards,
Atis
Reply to: