2000-09-17-18:45:36 Robert Scholten:
> I have been happily rsync'ing for some time, using ssh as root with an
> empty passphrase. I'd like to improve system security [...]
Always a good pursuit. I'd recommend looking into ensuring that a
given key can only be used for rsyncing, and only from a given host.
That can be done with restrictions in the authorized_keys file;
specify from= to restrict what machine can use a key, and use
command= to restrict what command it can run.
With OpenSSH, command= doesn't (currently) post the requested
command into an environment variable, I've come up with a patch to
do so, and the maintainers have said that the functionality will be
in the next release. This lets you have restricted but varying
commands by specifying command=/path/to/wrapper where wrapper checks
the args, and execs the real backend pgm if it like them.
> [...] and add a passphrase - any suggestions on how to do that?
> I'd like to be able to run rsync overnight, i.e. without me there
> to type in a passphrase.
It won't help. No matter how you stash it, if someone cracks root on
the originating machine, they'll be able to pull the passphrase out,
so the protection of just making ~root/.ssh/identity readable only
by root is as good as you can get. As long as ssh (or something like
rsync that uses it for transport) can be run automatically,
unattended, out of e.g. a crontab, all you can do is protect the ID
that it runs as.
> I can imagine burying the passphrase in a script, which would be some
> improvement, [...]
How would that be an improvement? If ~root/.ssh is mode 0700, and
the files in it are mode 0600, all owned by root, then the only way
someone could read the secret key would be if they got root, in
which case they could just read the script that contains the
passphrase.
-Bennett
PGP signature
