Re: [gentoo-user] Unattended sftp?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Je Mardo Februaro 22 2005 14:10, Dave Nebinger skribis: > > I think you're right. Does this mean anyone could easily intercept my > > login and password and log in as me? > > The basic answer for this is "yes". Definitely your password could be > intercepted and used by others. > > But consider for a minute what is involved with that... > > Someone floating out there on the net would have to be intercepting > packets. And the packets that you're sending would need to flow over the > same path to the endpoint (not guaranteed by IP). And they would need to > be able to filter the mass of packets going by their system to get the > one(s) with your password information. And they would initially have to > identify a need to get your password in order to target your packets for > capture. > > Granted all of this is indeed doable, but IMHO it's like looking for a > particular atom in a haystack, let alone the needle... I disagree. The "I don't care because I'm unimportant" philosphy is dangerous. It is unlikely that there will be people wanting your password, but it is very likely that there are a lot of malicius people wanting any password, just to do harm (to you, or to others, as you). Then, all you need is one of these malicius people to be at your ISP (running a program to intercept any password) or at the other end's ISP, or, if you are unlucky enough, anywhere in the middle. - -- Pupeno: [EMAIL PROTECTED] - http://pupeno.com Reading Science Fiction ? http://sfreaders.com.ar -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCG9M1fW48a9PWGkURAkudAJ47eOWauRkQJkPAIYf2oFEsKOupfwCeJ8Fv RMvw0/oTLKugZ6JuGPNC+b4= =Ia5j -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Unattended sftp?
> Passwords in ssh and sftp are sent encrypted, so the password cannot be > sniffed by moitoring your transmissions. You cannot say the same for > ftp, telnet or http. > > As someone pointed out, you can often arrange that two given accounts > can use sftp without passwords; I do this quite a bit. > > Another approach that I use is to use the expect(1) package. You install > it on one machine, and use it to automate just about any command-line > activity, including sending passwords. The expect script that you wind > up with may have the password in the clear, but you keep it protected in > your own account. If it's using sftp, for instance, then the password is > protected by the sftp protocols. > > Expect is marvellously useful for automating all sorts of things that were > not written with automation in mind. Nice, that is sure to come in handy. - Grant > ++ kevin -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Unattended sftp?
> > I think you're right. Does this mean anyone could easily intercept my > > login and password and log in as me? > > The basic answer for this is "yes". Definitely your password could be > intercepted and used by others. > > But consider for a minute what is involved with that... > > Someone floating out there on the net would have to be intercepting packets. > And the packets that you're sending would need to flow over the same path to > the endpoint (not guaranteed by IP). And they would need to be able to > filter the mass of packets going by their system to get the one(s) with your > password information. And they would initially have to identify a need to > get your password in order to target your packets for capture. > > Granted all of this is indeed doable, but IMHO it's like looking for a > particular atom in a haystack, let alone the needle... Ok, it sounds like I should contact the companies I'm ftp'ing to and see if there is a safe option for transmitting my password. If not, I should just use a unique password and keep an eye on things. I would think Google and Yahoo wouldn't want my password to their systems getting out any more than I want it getting out. - Grant -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Unattended sftp?
Passwords in ssh and sftp are sent encrypted, so the password cannot be sniffed by moitoring your transmissions. You cannot say the same for ftp, telnet or http. As someone pointed out, you can often arrange that two given accounts can use sftp without passwords; I do this quite a bit. Another approach that I use is to use the expect(1) package. You install it on one machine, and use it to automate just about any command-line activity, including sending passwords. The expect script that you wind up with may have the password in the clear, but you keep it protected in your own account. If it's using sftp, for instance, then the password is protected by the sftp protocols. Expect is marvellously useful for automating all sorts of things that were not written with automation in mind. I hope this helps. ++ kevin On Tue, 22 Feb 2005 09:10:09 -0500, Dave Nebinger <[EMAIL PROTECTED]> wrote: > > I think you're right. Does this mean anyone could easily intercept my > > login and password and log in as me? > > The basic answer for this is "yes". Definitely your password could be > intercepted and used by others. > > But consider for a minute what is involved with that... > > Someone floating out there on the net would have to be intercepting packets. > And the packets that you're sending would need to flow over the same path to > the endpoint (not guaranteed by IP). And they would need to be able to > filter the mass of packets going by their system to get the one(s) with your > password information. And they would initially have to identify a need to > get your password in order to target your packets for capture. > > Granted all of this is indeed doable, but IMHO it's like looking for a > particular atom in a haystack, let alone the needle... > > > -- > gentoo-user@gentoo.org mailing list > > -- Go back to the top: I almost always top-post Kevin O'Gorman, PhD -- gentoo-user@gentoo.org mailing list
RE: [gentoo-user] Unattended sftp?
> I think you're right. Does this mean anyone could easily intercept my > login and password and log in as me? The basic answer for this is "yes". Definitely your password could be intercepted and used by others. But consider for a minute what is involved with that... Someone floating out there on the net would have to be intercepting packets. And the packets that you're sending would need to flow over the same path to the endpoint (not guaranteed by IP). And they would need to be able to filter the mass of packets going by their system to get the one(s) with your password information. And they would initially have to identify a need to get your password in order to target your packets for capture. Granted all of this is indeed doable, but IMHO it's like looking for a particular atom in a haystack, let alone the needle... -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Unattended sftp?
> > I'm also concerned about sending my > > password for these systems over the internet in clear text. > > Ah, you're doing that whether you are doing it manually or automagically via > a cron task. So if you're not worried about the manual upload, why worry > about the automated upload? I'm not any more worried about it with the automation. Just a misunderstanding. > Based on the systems you've mentioned (google & yahoo), alternate methods > (i.e. sftp, scp, etc.) might not be available to you. Wput will work for > uploading via ftp and it's probably going to be your only option. I think you're right. Does this mean anyone could easily intercept my login and password and log in as me? - Grant -- gentoo-user@gentoo.org mailing list
RE: [gentoo-user] Unattended sftp?
> I'm also concerned about sending my > password for these systems over the internet in clear text. Ah, you're doing that whether you are doing it manually or automagically via a cron task. So if you're not worried about the manual upload, why worry about the automated upload? Based on the systems you've mentioned (google & yahoo), alternate methods (i.e. sftp, scp, etc.) might not be available to you. Wput will work for uploading via ftp and it's probably going to be your only option. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Unattended sftp?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Grant wrote: | I need to ftp different text files to different systems (google, | yahoo, etc.), and I'd like to be able to set up a cron job so it is | done automatically every day. I'm also concerned about sending my | password for these systems over the internet in clear text. A | previous thread tells me wput can ftp files with a single command and | sftp can send files securely. Can sftp send files securely with a | single command? I would just emerge it and figure it out but it has a | long list of dev-perl dependencies for me. Does anyone use sftp like | that? | sftp is part of ssh, unless you have ssh accounts on these system you will not be able to use it. To allow sftp to work without the need for a passwd you need have you public key in the system that is to receive it and public key must be in the file ~/.ssh2/authorization on the machine you are trying to access. As far as I know google and yahoo does not have this capability. Mike - -- Mike Noble Email: [EMAIL PROTECTED] Key ID: 0xFFDFC13B Key fingerprint: 8204 1297 B9AD 0CED 2FCE 1FB0 9491 5824 FFDF C13B Keyserver: http://pgpkeys.mit.edu -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCFlInlJFYJP/fwTsRAtxoAJ4w+sEaivBk3h29KYjU99U1/GWdNgCfSg+i qyfEL1U11zUY8h7QQ5iiUVk= =B5YV -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Unattended sftp?
On 2005-02-18 11:00, Grant <[EMAIL PROTECTED]> wrote: > Can sftp send files securely with a single command? I would just > emerge it and figure it out but it has a long list of dev-perl > dependencies for me. Does anyone use sftp like that? If you have sftp, you have ssh. How about scp? It's part of ssh and works just like plain old cp except that you can specify remote files. It's a single command. -- Luke -- gentoo-user@gentoo.org mailing list
[gentoo-user] Unattended sftp?
I need to ftp different text files to different systems (google, yahoo, etc.), and I'd like to be able to set up a cron job so it is done automatically every day. I'm also concerned about sending my password for these systems over the internet in clear text. A previous thread tells me wput can ftp files with a single command and sftp can send files securely. Can sftp send files securely with a single command? I would just emerge it and figure it out but it has a long list of dev-perl dependencies for me. Does anyone use sftp like that? - Grant -- gentoo-user@gentoo.org mailing list