P.V.Anthony wrote:
Chen wrote:
Maybe you can ssh as a normal user and 'su' to root on that machine? I
don't know how to allow root to ssh from a particular ip, but it seems
not a good idea.
I am using rsync to sync some dns files. Need to be root. It is a
script so I am not able to 'su'.
For security reasons, I would like to only allow root login from one ip.
There is another way to do this more securely. We had this same issue
but came up with a way to avoid allowing a remote root login.
Run an rsync daemon with root privileges but with "hosts allow =
127.0.0.1" in your rsyncd.conf and restrict it by user (and if using
xinetd - make it listen only to 127.0.0.1).
e.g.
uid = root
gid = root
auth users = backup
secrets file = <root_mode_600_file_somewhere_safe>
hosts allow = 127.0.0.1
...
Then in a non-privileged backup account use the following type of entry
in authorized_keys
from="backuphost.example.com",permitopen="localhost:873",command="/bin/true"
ssh-dss AAAAB3NzaC1kc3MAAACBAMXo2tnX...
With this entry, the backup user is only able to forward the rsyncd port
- nothing else and the only way to talk to the rsyncd externally is
through this non-privileged account.
Then in your backup script you run a port-forward of the remote rsync
port before running your rsync command
ssh -i backup_key -L8873:localhost:873 -N [EMAIL PROTECTED] &
rsync rsync://[EMAIL PROTECTED]:8873/foo ...
kill %-L8873
Voila!
~mc
_______________________________________________
Slugnet mailing list
[email protected]
http://www.lugs.org.sg/mailman/listinfo/slugnet
