Re: [BackupPC-users] Unable to read 4 bytes

Sat, 08 Nov 2014 08:23:53 -0800 

Hi,

Mauro Condarelli wrote on 2014-11-07 22:45:53 +0100 [Re: [BackupPC-users] 
Unable to read 4 bytes]:
> [...]
> What follows is what I use to setup a key exchange,

I don't believe that's completely true ;-).

> obviously there are zillions ways to do the same.
> 
> backuppc@server:~$ scp .ssh/id_dsa mcon@mailgate:/tmp/backu...@server.key

Actually, you need the *public* key on the client (".ssh/id_dsa.pub"), not the
private key. More than that, you *should not have* the private key on the
client machine. Conceptionally, possession of the private key is considered as
proof for being the legitimate BackupPC server. The client machine isn't the
legitimate BackupPC server, so it shouldn't be able to prove it is :-).

Additionally, I would advise against temporarily storing the key - even the
public key - in /tmp. You are later going to do (and this only makes sense if
it actually was the public key you transferred) ...

> [...]
> root@mailgate:~/.ssh# cat /tmp/backuppc\@server.key >>authorized_keys

So, while the public key is not sensitive information (you could theoretically
post it on this list, though there is no point in actually doing that), anyone
who might have been able to *modify* it in the mean time (e.g. symlink attack)
would be tricking you into putting *his* key into root's authorized_keys,
thereby gaining root access to the machine.

Strictly speaking, we should also make sure root's authorized_keys file is not
writable for group and others. Usually, root's umask and/or the pre-existance
of the file will take care of this, but it *is* something that would prevent
public key authentication from working.

> At this point You should be able to do:

backuppc@server:~$ ssh root@mailgate /bin/true
backuppc@server:~$

(this is my preferred example, because it also tests that no extraneous output
is generated).

Regards,
Holger

------------------------------------------------------------------------------
_______________________________________________
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/

Reply via email to