No.

Post #55,554 by ben_tilly 10/8/02 6:42:50 PM Reply	No. You need to be logged in as me on one box that is trusted by the others. And then you can start wandering. You cannot play the same trick from another user ID unless you can get the machine to lie about who you are (requires root, and if you have root then it is easier...). You cannot play the same trick from another IP address. And in practice, the fact that you spend less time logging in reduces the opportunity for compromise. Furthermore I note that having a challenge response is stupid with a cron user because it now requires me to code up code to give the right reply. Which means that my passwords go into my code, which goes under revision control. Which is stupid. Moronic. And did I mention stupid? Mixing passwordless ssh with rsync is far, far better. Cheers, Ben "Career politicians are inherently untrustworthy; if it spends its life buzzing around the outhouse, it\ufffds probably a fly." - [link\|http://www.nationalinterest.org/issues/58/Mead.html\|Walter Mead]
Post #55,599 by boxley 10/8/02 8:12:13 PM Reply	if I have rooted your box, the first aim of a crack I then can su - anyid and if that id has challengeless access to another machine that is a security issue. If you are inside a secured network, the problem is lessened. I am not sure I understand why one box would need to access another boxes crontab files or usage? Please a little more detail. thanx, bill will work for cash and other incentives [link\|http://home.tampabay.rr.com/boxley/resume/Resume.html\|skill set] "Therefore, by objective standards, the leading managers of the U.S. economy...are collectively, clinically insane." Lyndon LaRouche
Post #55,612 by ben_tilly 10/8/02 8:56:39 PM Reply	Sample usage You have an internal box. It produces data. Said data needs to be sent to boxes that are visible from the outside world. How should you do this? I like the solution of having the internal box run cron jobs and then push to the machines visible from the outside. I also like having the ones seen from the outside being unable to initiate any conversation backwards, which rules out any kind of "pull" technique. Finally I prefer not to advertise any user/password information that I don't need to. Passwordless ssh with a cron user on the internal box trusted on the outside ones seems to be perfect for what I want. Cheers, Ben "Career politicians are inherently untrustworthy; if it spends its life buzzing around the outhouse, it\ufffds probably a fly." - [link\|http://www.nationalinterest.org/issues/58/Mead.html\|Walter Mead]
Post #55,626 by boxley 10/8/02 9:25:18 PM Reply	a couple of things now I understand If you are using an ssh outbound only firewall rule that is reasonable usage. What type of data, is it binary? database dumps? text? A strict rsf share on the outside box to the inside box with the rfs port open on the fw then cron cp's the data to the rfs drive that is mounted to the inside box. Not in place of your solution which is reasonable but as an alternative. Also nfs over ssh would do the same thing and would not really require a login of any sort. rfs is more secure though. Oracle over ssh is also useful if you have databases out there. thanx, bill will work for cash and other incentives [link\|http://home.tampabay.rr.com/boxley/resume/Resume.html\|skill set] "Therefore, by objective standards, the leading managers of the U.S. economy...are collectively, clinically insane." Lyndon LaRouche
Post #55,688 by ben_tilly 10/9/02 6:22:45 AM Reply	The kind of data doesn't matter The solution I offered is flexible. It will even cover the case where you need to run a few remote scripts. Also I note that when people talk of copying data, my immediate thought is whether they have encountered the wonderful thing known as [link\|http://samba.anu.edu.au/rsync/\|rsync]. Cheers, Ben "Career politicians are inherently untrustworthy; if it spends its life buzzing around the outhouse, it\ufffds probably a fly." - [link\|http://www.nationalinterest.org/issues/58/Mead.html\|Walter Mead]
Post #60,845 by rickmoen 11/3/02 4:09:06 AM Reply	Automated transfers using locked-down SSH keypairs Ben Tilly wrote: You have an internal box. It produces data. Said data needs to be sent to boxes that are visible from the outside world. How should you do this? [link\|http://linuxmafia.com/~rick/linux-info/ssh-publickey-process\|Like this.] Rick Moen rick@linuxmafia.com If you lived here, you'd be $HOME already.
Post #60,859 by admin 11/3/02 10:00:24 AM Reply	Rock. Thanks for posting that. Regards, -scott anderson "Welcome to Rivendell, Mr. Anderson..."
Post #60,869 by ben_tilly 11/3/02 12:11:22 PM Reply	Question Looks familiar, but locked down even further by only allowing one command. But what if you want to be able to run 2 different commands? One to copy data to a machine, one to tell it to recopy data to others in its cluster. Thanks, Ben "Career politicians are inherently untrustworthy; if it spends its life buzzing around the outhouse, it\ufffds probably a fly." - [link\|http://www.nationalinterest.org/issues/58/Mead.html\|Walter Mead]
Post #55,665 by kmself 10/9/02 12:32:09 AM Reply	Re: if I have rooted your box... The `ssh-agent` socket is protected via filesystem permissions. `root` can talk to the socket if it wants to, changing UIDs if necessary. However, this only gives you access to the current instance of `ssh-agent`. You don't have access to the authorization key or passphrase itself, only a authentication-granting agent using these tokens. Killing the instance of `ssh-agent`, or merely dumping keys, is sufficient to counter this attack. And note that if you've got root on the box, there are significant problems already. Given the circumstances in which `ssh-agent` is likely to be used, this is a significant improvement, from a security perspective, over the alternatives Access is via unsecured keys. In this case, filesystem access (root user or a reboot under another OS instance) is sufficient to compromise the system, and the exploit data are persistent across both process and system boot instances. Access is via a secured key, but passphrase is either stored in a file or provided via other methods (interactive access, command line options, handcrafted agent). Any of these methods reduce security, convenience, or both. Also, there are yet more alternatives. It's possible to use a [link\|http://www.google.com/search?q=ssh+%22forced+command%22\|forced command], in which case a given SSH key is only capable of executing a single command. Forced commands can themselves be used w/o passphrases, interactively, or via `ssh-agent`. The balance is functionality, convenience, and security. If you need the functionality, then start looking at convenience & security. ssh-agent's a pretty slick way to fly. -- Karsten M. Self [link\|mailto:kmself@ix.netcom.com\|kmself@ix.netcom.com] [link\|http://kmself.home.netcom.com/\|[link\|http://kmself.home.netcom.com/\|http://kmself.home.netcom.com/]] What part of "gestalt" don't you understand? [link\|http://twiki.iwethey.org/twiki/bin/view/Main/\|TWikIWETHEY] -- an experiment in collective intelligence. Stupidity. Whatever. Keep software free. Oppose the CBDTPA. Kill S.2048 dead. [link\|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html\|[link\|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html\|http://www.eff.org/...a_alert.html]]

Welcome to IWETHEY!