Il 08/11/2014 17:20, Holger Parplies ha scritto: > Hi, > > Mauro Condarelli wrote on 2014-11-07 22:45:53 +0100 [Re: [BackupPC-users] > Unable to read 4 bytes]: >> [...] >> What follows is what I use to setup a key exchange, > I don't believe that's completely true ;-). AAARRGGHH!!
Sorry, my bad. This is what happens when you write from memory without actually cutting&pasting. OF COURSE you have to distribute your PUBLIC key and keep your private key PRIVATE! Shame on me. > >> obviously there are zillions ways to do the same. >> >> backuppc@server:~$ scp .ssh/id_dsa mcon@mailgate:/tmp/backu...@server.key > Actually, you need the *public* key on the client (".ssh/id_dsa.pub"), not the > private key. More than that, you *should not have* the private key on the > client machine. Conceptionally, possession of the private key is considered as > proof for being the legitimate BackupPC server. The client machine isn't the > legitimate BackupPC server, so it shouldn't be able to prove it is :-). > > Additionally, I would advise against temporarily storing the key - even the > public key - in /tmp. You are later going to do (and this only makes sense if > it actually was the public key you transferred) ... > >> [...] >> root@mailgate:~/.ssh# cat /tmp/backuppc\@server.key >>authorized_keys > So, while the public key is not sensitive information (you could theoretically > post it on this list, though there is no point in actually doing that), anyone > who might have been able to *modify* it in the mean time (e.g. symlink attack) > would be tricking you into putting *his* key into root's authorized_keys, > thereby gaining root access to the machine. > > Strictly speaking, we should also make sure root's authorized_keys file is not > writable for group and others. Usually, root's umask and/or the pre-existance > of the file will take care of this, but it *is* something that would prevent > public key authentication from working. > >> At this point You should be able to do: > backuppc@server:~$ ssh root@mailgate /bin/true > backuppc@server:~$ > > (this is my preferred example, because it also tests that no extraneous output > is generated). > > Regards, > Holger ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk _______________________________________________ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List: https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki: http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/