Where do <rootssh/> and <rpmssh/> come from? Jan
>-----Ursprüngliche Nachricht----- >Von: Steve Loughran [mailto:[EMAIL PROTECTED] >Gesendet: Mittwoch, 24. Oktober 2007 16:27 >An: Ant Users List >Betreff: Re: Suggestions for sending data to the server > >Rob Wilson wrote: >> Recently I have seen many posts for using SCP to copy files >to a remote >> location, I was intending to invoke an upload servlet to do >a similar job - >> but the servlet would insert some data into a database. >> >> Is it generally recommended to use SCP instead of invoking a >servlet? Any >> pro's/con's that I should be aware of? >> >> Cheers, >> Rob. >> > >ssh/scp is the tool of choice for secure uploads > >1. defends against man in the middle attacks, either to grab the >passwords or to alter the files. >2. if you keep the keys on the client system, its pretty easy >to automate. >3. built in to all linux systems >4. works really well with rsync and ssh > >Weaknesses >-some theoretical work on grabbing passwords (not public/private key >pairs) by using timing information >-too many people accept changed remote keys, when really they should >question why their server's key has just changed >-lots of scanner programs are always trying to break in to >port 22 with >common logons/passwords. >-if an exploit is found, it will be very widely exploited. > >If you use it, and want to lock it down > -run it on a different port from normal > -disable root access > -set it to use public keys only. > >if you wrote your own servlet for uploads you would probably be less >secure, and have something you would need to test and >maintain. If done >over HTTPS, especially with client-side certificates, it would >be pretty >secure (encrypted traffic, no spoofing of either end). WebDAV is >effectively this, so is Atom Publishing Protocol. Otherwise, >just handle >the POST and PUT requests yourself. > >Now, some ant targets to scare people w.r.t ssh and scp, namely how to >upload an RPM to a virtualized linux image and test that it installs. > >First, an upload creating a clean upload dir and pushing out some rpms: > > > <target name="rpm-upload" depends="rpm-upload-init" > > <rpmssh command="rm -rf ${rpm.full.ssh.dir}/" >failonerror="false"/> > <rpmssh command="mkdir -p ${rpm.full.ssh.dir}"/> > <property name="rpm.ssh.path" > >value="[EMAIL PROTECTED]:${rpm.full.ssh.dir}" /> > <scp remoteToDir="${rpm.ssh.path}" > passphrase="${rpm.ssh.passphrase}" > keyfile="${rpm.ssh.keyfile}" > trust="${rpm.ssh.trust}" > verbose="${rpm.ssh.verbose}" > > <fileset refid="rpm.upload.fileset"/> > </scp> > </target> > > >Then some target to install the RPMs: > > <target name="rpm-remote-install-all" depends="rpm-upload" > > <rootssh command="cd ${rpm.full.ssh.dir};rpm --upgrade --force >${rpm.verbosity} *.rpm" > outputProperty="rpm.result.all"/> > <validate-rpm-result result="${rpm.result.all}" /> > </target> > >Now, a set of ssh scripts to verify that common files and dirs are >properly owned/existing: > > <target name="rpm-queries-test" depends="rpm-remote-install" > description="check that files and directories belong to >the RPMs"> > <expandingcopy file="${rpm.metadata.dir}/rpm-queries.txt" > todir="${build.dir}"/> > <rootssh > failonerror="true" > command="rpm -qf ${rpm.install.dir} ; >rpm -qf ${rpm.install.dir}/bin ; >rpm -qf ${rpm.install.dir}/lib ; >rpm -qf ${rpm.install.dir}/links ; >rpm -qf ${rpm.install.dir}/links/smartfrog.jar; >rpm -qf ${rpm.install.dir}/links/sfServices.jar; >rpm -qf ${rpm.install.dir}/bin/security ; >rpm -qf ${rpm.install.dir}/bin/metadata ; >rpm -qf ${rpm.log.dir} ; >rpm -qf ${rpm.etc.dir} ; >rpm -qf ${rpm.install.dir}/testCA ; >rpm -qf ${rpm.install.dir}/private ; >rpm -qf ${rpm.install.dir}/signedLib ; >rpm -qf /etc/profile.d/smartfrog.sh ; >rpm -qf /etc/profile.d/smartfrog.csh ; >rpm -qf ${rpm.install.dir}/docs ; >rpm -qf ${rpm.install.dir}/src ; >rpm -qf ${rpm.install.dir}/src.zip " > outputProperty="rpm.queries.results"/> > > <echo>${rpm.queries.results}</echo> > <fail> > <condition> > <or> > <contains string="${rpm.queries.results}" > substring="is not owned by any package"/> > <contains string="${rpm.queries.results}" > substring="No such file or directory"/> > </or> > </condition> > One of the directories/files in the RPM is not declared >as being >owned by any RPM. > This file/directory will not be managed correctly, or have the >correct permissions > on a hardened linux > </fail> > > > </target> > > we look for the error text because <sshexec> in ant1.7 doesnt handle >errors from multiple commands correctly -we run through all the rpm -q >operations and then validate the output. > > > >-- >Steve Loughran http://www.1060.org/blogxter/publish/5 >Author: Ant in Action http://antbook.org/ > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
