From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1P3z72-0004RY-PB for garchives@archives.gentoo.org; Thu, 07 Oct 2010 22:38:57 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A70DDE0A44; Thu, 7 Oct 2010 22:38:25 +0000 (UTC) Received: from nm21-vm0.bullet.mail.ac4.yahoo.com (nm21-vm0.bullet.mail.ac4.yahoo.com [98.139.53.216]) by pigeon.gentoo.org (Postfix) with SMTP id 813DBE0A44 for ; Thu, 7 Oct 2010 22:38:25 +0000 (UTC) Received: from [98.139.52.195] by nm21.bullet.mail.ac4.yahoo.com with NNFMP; 07 Oct 2010 22:38:25 -0000 Received: from [98.139.52.162] by tm8.bullet.mail.ac4.yahoo.com with NNFMP; 07 Oct 2010 22:38:25 -0000 Received: from [127.0.0.1] by omp1045.mail.ac4.yahoo.com with NNFMP; 07 Oct 2010 22:38:24 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 888629.15898.bm@omp1045.mail.ac4.yahoo.com Received: (qmail 76335 invoked by uid 60001); 7 Oct 2010 22:38:24 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1286491104; bh=zkhd+t6/GipZaCTqGfKMbzSitnTa+H5r+XixPhcReJw=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=Z8/BsicEBG5WhpTjJhFMY5+J7TY55olBC96te1L6e8i3jqjb9w8/UxYXWsOv6GhZ7Bl68FKrRgZpGKnAQY4ZDZl0dD9U+Zdz8jBsDqD1BSE81HQx1H5EoBrpMfuWyafeQxcE9Z4fQagd5UgLWVugfJKoa7M0nmkBssm8id8EZkY= DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=gOmaUEBhzA4G668h4iRsdhpshiXnnvttRPUiu3kYCpi7UbgqIR+/9NfOdBQCBdmjYQCiLKHrZHaYDW4MPLcLQc8Lf3gFWgXUfJTSM6GsP1HZ+bTBkol8i+tqSFYyhxptbXwrfX3GXzq1eeXlEyc0bqx8f0OWMsW8N6XQXHm64cE=; Message-ID: <480216.76297.qm@web51905.mail.re2.yahoo.com> X-YMail-OSG: sp._f5AVM1kywMYTjR43Wf57ip45Bh._XKaRSx6QBY1yBud SynO1r6I2KCSiD.V96f1_4lTTtcBcAUIMtqalgYOt0rmhc1W1lt1AkiL.YPe 3M5pbAwy9dJrUsAZNCDJzw77H5l4WqDrdeBqhJZyrvKsotyZaQAqokIFYzew V1zxIE_1bejVEONIAiz.ispK5kABX1.q79_HvifwLA2vOoba7a4lMfwGoLu1 kUQbntCU2V.SrCyMj3HFMPZuoqxM21VLLtalyux_BNWVv4lcoTIIOZSWdics aKhC01zle0qFu54Ep1gy9cPULpNUOG7uhFkkic_LxZTyIBoRj4pyFtvOz0yV dxl3_wArRx.fQ8JUFWAF5Tuor1Mo- Received: from [12.52.185.66] by web51905.mail.re2.yahoo.com via HTTP; Thu, 07 Oct 2010 15:38:24 PDT X-Mailer: YahooMailRC/504.5 YahooMailWebService/0.8.106.282862 References: <20101007184549.65756vlexbx2u7sw@momessonet.ath.cx> <4CAE141F.7040904@alyf.net> <20101007235946.82345qfl96r2s7i8@momessonet.ath.cx> <5682.1286490075@ccs.covici.com> Date: Thu, 7 Oct 2010 15:38:24 -0700 (PDT) From: BRM Subject: Re: [gentoo-user] Copying a file via ssh with no password, keeping the system safe To: gentoo-user@lists.gentoo.org In-Reply-To: <5682.1286490075@ccs.covici.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 53f9a8ca-618b-4b9c-a42b-6bc97ad1cbea X-Archives-Hash: c7aeb20cb5e01faa6f2b172718e854e3 ----- Original Message ----=0A=0A> From: "covici@ccs.covici.com" =0A> To: gentoo-user@lists.gentoo.org=0A> Sent: Thu, October 7= , 2010 6:21:15 PM=0A> Subject: Re: [gentoo-user] Copying a file via ssh wit= h no password, keeping the =0A>system safe=0A> =0A> Momesso Andrea wrote:=0A> =0A> > =0A> > Quoting Andrea Conti :=0A> > =0A> > > On 07/10/2010 18:45, Momesso Andrea wrote:=0A> > >= =0A> > >> Setting up a public key, would do the job, but then, all the con= nections=0A> > >> between the servers would be passwordless, so if server = A gets=0A> > >> compromised, also server B is screwed.=0A> > >=0A> > > Wel= l, not really... public key authentication works on a per-user basis,=0A> = > > so all you get is that some user with a specific key can log in as som= e=0A> > > other user of B without typing a password.=0A> > >=0A> > > Of c= ourse, if you authorize a given key for logging in as root@B, then=0A> > > = what you said is true. But that is a problem with the specific setup.=0A> = > >=0A> > >> Is there a way to allow only one single command from a singl= e cronjob to=0A> > >> operate passwordless, while keeping all the other co= nnections secured by=0A> > >> a password?=0A> > >=0A> > > You can't do tha= t on a per-command basis. You'd be trying to control the=0A> > > authentic= ation method accepted by sshd on B according to which command=0A> > > is r= un on A -- something sshd on B knows nothing about.=0A> > >=0A> > > I woul= d try the following way:=0A> > >=0A> > > - Set up an unprivileged user on = B -- let's call it foo -- which can=0A> > > only write to its own home dir= ectory, /home/foo.=0A> > >=0A> > > - add the public key you will be using = (*) to foo@B's authorized_keys=0A> > > file. You should set the key's opti= ons to=0A> > > 'pattern=3D"",no-pty,command=3D"/usr/bin/scp = -t -- /home/foo"'=0A> > > (man sshd for details).=0A> > >=0A> > > - chatt= r +i /home/foo/.ssh/authorized_keys, so that the file can only be=0A> > > = changed by a superuser (you can't just chown the file to root as sshd is= =0A> > > quite anal about the permissions of the authorized_keys file)=0A>= > >=0A> > > Now your cron job on A can do "scp foo@B:/home/foo" wi= thout the=0A> > > need for entering a password; you just have to set up an= other cron job=0A> > > on B that picks up the file from /home/foo and puts= it where it should=0A> > > go with the correct permissions, possibly afte= r doing a sanity check on=0A> > > its contents.=0A> > >=0A> > > If you use= something else than scp, (e.g. rsync) you should also adjust=0A> > > the = command option in the key options above.=0A> > > Note that the option refe= rs to what is run on B, not on A. Also, it is=0A> > > *not* an authorizati= on directive =E0 la /etc/sudoers (i.e., it does not=0A> > > specify what c= ommands the user is allowed to run): it simply overwrites=0A> > > whicheve= r command is requested by the client side of the ssh connection,=0A> > > s= o that, for example, the client cannot request a shell or do "cat=0A> > > = ".=0A> > >=0A> > > (*) You can either use the key of the user ru= nning the cron job on A, or=0A> > > generate a separate key which is only = used for the copy operation. In=0A> > > this case, you will need to tell s= cp the location of the private key=0A> > > file with the -i option.=0A> > = >=0A> > > HTH,=0A> > > andrea=0A> > >=0A> > >=0A> > =0A> > Thank you all f= or your fast replies, I think I'll use all of your =0A>suggestions:=0A> > = =0A> > -create an unprivilegied user with no shell access as Stroller and= =0A> > Andrea suggested=0A> > =0A> > -I'll setup a passwordless key for th= is user, only limited to a single=0A> > command, as Willie=0A> > suggested= =0A> > =0A> > This sounds pretty sane to me.=0A> I think for ssh to work t= he user needs a valid shell, not nologin, so=0A> you can't do both of thos= e suggestions.]=0A=0AWouldn't a shell-less account per just provide the abi= lity to use SFTP/SCP?=0AThose don't require a shell to operate.=0A=0AYou on= ly need a shell if you are going to actually login as a user and do =0Asome= thing other than a file transfer.=0A=0AAlso, ssh can be run in multiple mod= es - some of which do not require a shell; =0Afor example:=0A=0Assh someuse= r@myhost.com /bin/false=0A=0Awill run the command "/bin/false" without init= iating a shell. (man ssh for =0Adetails).=0A=0A$0.02=0A=0ABen=0A