experiences with openssh automation
Robert Brockway
rbrockway-wgAaPJgzrDxH4x6Dk/4f9A at public.gmane.org
Tue Aug 9 06:24:28 UTC 2005
On Mon, 8 Aug 2005, Mike Kallies wrote:
> 1. Is there a way to programmatically update the host key identifier?
Yes as Frank points out. But you have to ask yourself if this is a path
you want to follow. The host key identifier is there for a reason. In
particular it helps to prevent man-in-the-middle attacks.
> I never had such problems with rsh...
You never had any security with rsh either :)
> 2. Does anyone have any recommendations or experience as to how I can use
> OpenSSH in a robust and reasonably secure fashion, so that it won't freeze
Use host key identifiers ;)
> up on cron jobs, fail to time out and create a traffic jam of useless
> processes?
Check for an active ssh connection? netstat -p will do this.
> 3. Finally, since ssh as root is harmful, and automation can be doled out
> on a piecemeal basis using sudo, does anyone have any tricks to integrate
> ssh, sudo and su so that automation IDs can run remote commands without
> having to handle multiple levels of escapes?
>
> For example, automation which requires auditing /etc/shadow (hey, it does
> happen!) begins to require scripts with statements like:
>
> ssh -q -o MatchMode=yes server sudo su root -c \"grep \\\"expression\\\"
> /etc/shadow\"
IMHO if you have so many boxes that auditing /etc/shadow can't be done
manually you need to look at some other form of authentication. Allowing
automated access via ssh to an account that can sudo to root is just
opening a window for exploitation.
Rob
--
Robert Brockway B.Sc. Phone: +1-416-669-3073
Senior Technical Consultant Email: support-wgAaPJgzrDxH4x6Dk/4f9A at public.gmane.org
OpenTrend Solutions Ltd. Web: www.opentrend.net
We are open 24x7x365 for technical support. Call us in a crisis.
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list