Re: Rsync: Re: password prompts (fwd)
On Sat, Apr 07, 2001 at 08:00:19PM +0100, L. Cranswick wrote: FTP and Rsync via SSH to update files - how many users do this? I don't think I have persuaded one person to do this - they all think it too inconvenient - too much new stuff to learn - and it takes discipline to stick with it. I hate to be a bofh, but... If decent security is "too inconvenient", then I refuse to be responsible for the compromised box. Good security takes discipline, in any implementation. As for the rsync integration: It is only a simple ssh setup and a '-e ssh'. Is that _really_ too much to ask? -drew -- M. Drew Streib [EMAIL PROTECTED], http://dtype.org "Email sigs waste valuable bandwidth." PGP signature
Re: Rsync: Re: password prompts (fwd)
Indeed, the biggest reason to use an external ssh program is that it
makes security updates *someone else's* problem -- ideally someone who
cares and/or is good at it. ("Put all your eggs in one basket and
*watch that basket*" :-) Seriously, when an ssh bug comes up (and more
will - it's written in C after all) we don't need the additional
leverage provided *to the attacker* of having to fix related attacks
in N different programs - we just have to fix ssh itself. Yay
abstraction.
That's exactly the way I like it as well. :) I had occaision once to
need passwordless rsyncing, but there was no way I was going to just plain
allow passwordless SSH.
So I recompiled OpenSSH to use a different port, and have a different name
(BrokenSSH, or "bs" for short). I installed it on the receiving box in a
chrooted environment, configured its sshd_config and ran it thorugh tcp
wrappers so that only one account could be accessed from only one
IP. Then I just called it on the sending box with rsync's -e
switch. rsync -varpogte bs --stats /var/www/ incoming@mirror:/var/www/
Are there any good tutorials on this?
One thing that is rarely stated is the amount of time and extra effort
needed to set things up. While in theory, users could be tunnelling
FTP and Rsync via SSH to update files - how many users do this?
I don't think I have persuaded one person to do this - they all
think it too inconvenient - too much new stuff to learn - and it
takes discipline to stick with it.
A tutorial I have done on this is at:
http://www.ccp14.ac.uk/ccp14admin/security/secure_routine_web_update_rsync.html
"Secure Routine Windows to UNIX Web updating using tunnelling
via Teraterm and Rsync"
But I don't know of anyone I know personally who can be bothered
with this - so protocols with clear text passwords are still the
done thing.
(Many of these secure techniques also assume admin rights on the remote
machine. Or that the remote admin has plenty of time to spend helping out
on this things. Both flawed assuptions.)
Re comments in previous Email about ease and convenience.
Microsoft is not the power it is today due to writing
good, solid software: they rule the world because they
write "convenient to use" software compared to rivals.
When given the choice of solid implementations, or
"convenience of use" - 99% of the population go for
"convenience of use". I believe the challenge of
Open Source software is to have "both" solid implementations
and convenience of use.
Lachlan.
--
Lachlan M. D. Cranswick
Geochemistry - Lamont-Doherty Earth Observatory, Columbia University
PO Box 1000, 61 Route 9W Palisades, New York 10964-1000 USA
Tel: (845) 365-8662 Fax: (845) 365-8155
E-mail: [EMAIL PROTECTED] WWW: http://www.ldeo.columbia.edu
CCP14 Xtal Software Website: http://www.ccp14.ac.uk
Re: Rsync: Re: password prompts (fwd)
On Sat, 7 Apr 2001, L. Cranswick wrote: So I recompiled OpenSSH to use a different port, and have a different name (BrokenSSH, or "bs" for short). I installed it on the receiving box in a chrooted environment, configured its sshd_config and ran it thorugh tcp wrappers so that only one account could be accessed from only one IP. Then I just called it on the sending box with rsync's -e switch. rsync -varpogte bs --stats /var/www/ incoming@mirror:/var/www/ Are there any good tutorials on this? Not yet. :) But, I might be persuaded to write one. Although, most people don't like the documentation I write, becuase my tendency would be to just make an RPM of the modified SSH rather than to write a HOWTO. One thing that is rarely stated is the amount of time and extra effort needed to set things up. While in theory, users could be tunnelling FTP and Rsync via SSH to update files - how many users do this? I don't think I have persuaded one person to do this - they all think it too inconvenient - too much new stuff to learn - and it takes discipline to stick with it. All my users. I'm mean. But, every single user that I've taught ssh/scp/rsync to has found them easier to use than telnet/ftp. I think it's all in the delivery - Most people teach SSH with "It might sound more complicated, but it's more secure," while I start off with "This is a lot easier once you've done it once or twice, and it's more secure too!" (Many of these secure techniques also assume admin rights on the remote machine. Or that the remote admin has plenty of time to spend helping out on this things. Both flawed assuptions.) Yup. I can't count the number of times I've installed sshd in my homedir on someone else's box that didn't want to run it. The only problem is that I have to make it listen on a higher port. But it gets really scary when I do this and the admins don't notice. I tell them, of course, but I think a good admin should be able to notice this stuff on their own. -- Rob Russell Senior Systems Analyst 613-224-6676 x332N-able Technologies fax: 613-228-1399http://www.N-ableIT.com 877-655-4689 [EMAIL PROTECTED]
