On 7 Apr 2001, Mark W. Eichin wrote:
> Indeed, the biggest reason to use an external ssh program is that it
> makes security updates *someone else's* problem -- ideally someone who
> cares and/or is good at it. ("Put all your eggs in one basket and
> *watch that basket*" :-) Seriously, when an ssh bug comes up (and more
> will - it's written in C after all) we don't need the additional
> leverage provided *to the attacker* of having to fix related attacks
> in N different programs - we just have to fix ssh itself. Yay
> abstraction.
That's exactly the way I like it as well. :) I had occaision once to
need passwordless rsyncing, but there was no way I was going to just plain
allow passwordless SSH.
So I recompiled OpenSSH to use a different port, and have a different name
(BrokenSSH, or "bs" for short). I installed it on the receiving box in a
chrooted environment, configured its sshd_config and ran it thorugh tcp
wrappers so that only one account could be accessed from only one
IP. Then I just called it on the sending box with rsync's -e
switch. rsync -varpogte bs --stats /var/www/ incoming@mirror:/var/www/
--
Rob Russell Senior Systems Analyst
613-224-6676 x332 N-able Technologies
fax: 613-228-1399 http://www.N-ableIT.com
877-655-4689 [EMAIL PROTECTED]
