Not to be annoying, but I don't think it's ever a good idea to allow root ssh to any machine :) Setup a low-permissions user, and use that, or better yet, use something that allows a shell-less user for your data transfers. Perhaps there's a good reason, but one of the things I find annoying in ssh, is that scp requires a valid shell for the destination user - dunno if the same is true for sftp.
Trevor Cushen wrote: >This man is a god amoung men, I will test this and get back to you. SSH is going in >place if all this works out. I'm side tracked at the moment but will get back to it >next week. > >Thanks again to all >Trevor Cushen > >P.s > >Can I ask you for a url to more info on this expect language and it usage. Again >many thanks > >-----Original Message----- >From: Andre Guimaraes [mailto:[EMAIL PROTECTED]] >Sent: 08 October 2002 19:26 >To: Trevor Cushen; [EMAIL PROTECTED] >Subject: RES: Is SSH worth it?? > > >I dont like RSA without passwords caus if your machine gets compromised, the attacker >would have root access to another machines in your network. When I needed automated >scripting using ssh and scp I used this programming language called EXPECT, perl >includes a module that implements the expect language. It goes something like this: > >exec ssh myhost "commands" (could be scp myfile myhost:path) expect yes/no send yes\r >expect assword send my_password > >Just to make the figure. > >It worked quite well,but if one host goes down and you dont include error exception >it may get stuck in the middle of the script. Still better than keys. > >-----Mensagem original----- >De: Trevor Cushen [mailto:[EMAIL PROTECTED]] >Enviada em: ter�a-feira, 8 de outubro de 2002 12:24 >Para: [EMAIL PROTECTED] >Assunto: Is SSH worth it?? > > >Many thanks to those that answered and all excellent answers that I will use in my >argument to the customer. A few interesting points came up also. Ettercap and dsniff >were mentioned and duly noted as I have used them before and should have left out the >part about sniffing a switched network in my question. Another point was raised that >the access needed to sniff should be removed first and foremost (Brad Arlt I think). >Most definantely and it has as much as possible. Physical security to the building >and any access points is quite strong. No external access connections are part of >this segment of the network so external attacks getting in is a low possiblity (but >yes possible I suppose so can't be ruled out) I want to go SSH and have the >encryption but the work involved is hard to justify to the customer (because the work >is their side, as in rewrite the scripts). The argument that Ettercap claims to >break SSH must also be throw into the mix here too. I could use stunnel if I just >wanted encryption???? > >Here is another spanner in the works and I hope I am corrected on this because I want >to be wrong here. > >We would be using SSH and SCP. SCP for automated scripts. To get scripts automated >my understanding is that the best security in this scenerio is use RSA authentication >only. Thus no password request when I do 'scp host:file filedst'. But then does >that mean that my SSH client will not be prompted for a password. In that case >accountability is at the machine level. If I am wrong please inform me gently as I >have only started looking at this in ernest. Yes I can go rhosts authentication but >that defeats the purpose to a large degree as rhost files is what we want to get them >away from. > >I am currently installing a SCO machine, Solaris machine and NT machine to set all >this up and emulate the site as much as possible. I will post the final result in >time. > >Thanks again for the feedback. > >Trevor Cushen >Sysnet Ltd > >www.sysnet.ie >Tel: +353 1 2983000 >Fax: +353 1 2960499 > > >**************************************************************************** >** > >This email and any files transmitted with it are confidential and intended >solely for the use of the individual or entity to whom they are addressed. > >If you have received this message in error please notify SYSNET Ltd., at telephone >no: +353-1-2983000 or [EMAIL PROTECTED] > >**************************************************************************** >** > >****************************************************************************** > >This email and any files transmitted with it are confidential and intended >solely for the use of the individual or entity to whom they are addressed. > >If you have received this message in error please notify SYSNET Ltd., at >telephone no: +353-1-2983000 or [EMAIL PROTECTED] > >****************************************************************************** > > -- Public GPG key at blackhole.pca.dfn.de .
msg08640/pgp00000.pgp
Description: PGP signature
