Re: how to scp from one box to another with no root ssh?

To: debian-user@lists.debian.org
Subject: Re: how to scp from one box to another with no root ssh?
From: Alex Samad <alex@samad.com.au>
Date: Mon, 16 Apr 2007 10:34:15 +1000
Message-id: <[🔎] 20070416003415.GF5203@samad.com.au>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 945196e0704140253h19b064abs7f444f9ece1183c7@mail.gmail.com>
References: <[🔎] 20070414014101.GA19958@titan> <[🔎] 945196e0704140253h19b064abs7f444f9ece1183c7@mail.gmail.com>

On Sat, Apr 14, 2007 at 12:53:57PM +0300, Atis wrote:
> On 4/14/07, Douglas Allan Tutty <dtutty@porchlight.ca> wrote:
> >In the past, to move config or script files from one box to another on
> >my home network I've used scp or rsync.
> >
> >However, recent discussions on the list have pointed out that root login
> >with ssh should not be allowed.
> >
> >How then to copy files that either only root can read or only root can
> >place, or that need owner/permissions to be unchanged?
> >
> >I have sshd setup to only allow ssh based on pre-existing keys (no
> >password login allowed), and it only listens on the local interface, and
> >I've got shorewall running and doesn't allow ssh to/from the net.
> 
> Well, the main idea behind "root login shouldn't be allowed" is, that
> root is known to exist on every linux system, so bruteforcing is one
> step easier (you already know username), plus if root gets
> compromised, all the system gets. So, there shouldn't be simple way
> how you can get root access with only one authentication.
> 
> While private key seems to be ok, you should make sure the private key
> is stored on furthest machine (so, if machine with public interface is
> lost, you don't loose local machine automatically)
> 
> But i'm thinking of a bit different scenario:
> >From destination machine you can make key based ssh setup to access
> source machine as limited user. On source machine setup sudo to allow
> only one command (i.e. tar with some attribute-preserving parameters)
> to be executed as root. tar file could be with mask 600 (so not
> readable by other users). Then trough ssh transfer that tar file, and
> decompress as root.
> Drawbacks? If public machine get's compromised, it get's read access
> to local machine.. but you got copy of it's config's on public machine
> anyway.
> 
> Regards,
> Atis
> 

what I have done is allow root remote ssh access by key only and for specific
keys which are used to do backups etc I further limit it by placing
resetrictions on what commands are allow via ssh. look at command= for
authorized_keys



> 
> -- 
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact 
> listmaster@lists.debian.org
> 
>

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- how to scp from one box to another with no root ssh?
  - From: Douglas Allan Tutty <dtutty@porchlight.ca>
- Re: how to scp from one box to another with no root ssh?
  - From: Atis <atis@BEST.eu.org>

Prev by Date: Re: Restrict server access
Next by Date: Re: Time/Date via Gnome clock app (sid)
Previous by thread: Re: how to scp from one box to another with no root ssh?
Next by thread: etch/volatile -- public key is not available: NO_PUBKEY EC61E0B0BBE55AB3
Index(es):
- Date
- Thread