>
> > Indeed, the biggest reason to use an external ssh program is that it
> > makes security updates *someone else's* problem -- ideally someone who
> > cares and/or is good at it. ("Put all your eggs in one basket and
> > *watch that basket*" :-) Seriously, when an ssh bug comes up (and more
> > will - it's written in C after all) we don't need the additional
> > leverage provided *to the attacker* of having to fix related attacks
> > in N different programs - we just have to fix ssh itself. Yay
> > abstraction.
>
> That's exactly the way I like it as well. :) I had occaision once to
> need passwordless rsyncing, but there was no way I was going to just plain
> allow passwordless SSH.
>
> So I recompiled OpenSSH to use a different port, and have a different name
> (BrokenSSH, or "bs" for short). I installed it on the receiving box in a
> chrooted environment, configured its sshd_config and ran it thorugh tcp
> wrappers so that only one account could be accessed from only one
> IP. Then I just called it on the sending box with rsync's -e
> switch. rsync -varpogte bs --stats /var/www/ incoming@mirror:/var/www/
Are there any good tutorials on this?
One thing that is rarely stated is the amount of time and extra effort
needed to set things up. While in theory, users could be tunnelling
FTP and Rsync via SSH to update files - how many users do this?
I don't think I have persuaded one person to do this - they all
think it too inconvenient - too much new stuff to learn - and it
takes discipline to stick with it.
A tutorial I have done on this is at:
http://www.ccp14.ac.uk/ccp14admin/security/secure_routine_web_update_rsync.html
"Secure Routine Windows to UNIX Web updating using tunnelling
via Teraterm and Rsync"
But I don't know of anyone I know personally who can be bothered
with this - so protocols with clear text passwords are still the
done thing.
(Many of these secure techniques also assume admin rights on the remote
machine. Or that the remote admin has plenty of time to spend helping out
on this things. Both flawed assuptions.)
Re comments in previous Email about ease and convenience.
Microsoft is not the power it is today due to writing
good, solid software: they rule the world because they
write "convenient to use" software compared to rivals.
When given the choice of solid implementations, or
"convenience of use" - 99% of the population go for
"convenience of use". I believe the challenge of
Open Source software is to have "both" solid implementations
and convenience of use.
Lachlan.
--
Lachlan M. D. Cranswick
Geochemistry - Lamont-Doherty Earth Observatory, Columbia University
PO Box 1000, 61 Route 9W Palisades, New York 10964-1000 USA
Tel: (845) 365-8662 Fax: (845) 365-8155
E-mail: [EMAIL PROTECTED] WWW: http://www.ldeo.columbia.edu
CCP14 Xtal Software Website: http://www.ccp14.ac.uk
