[EMAIL PROTECTED] wrote:
Hi. At the risk of beating a dead horse, I'd like to register my vote
for not doing this, at least not just this. The security implication is
that someone who compromises the other machine also gains full root
access to your machine - you're probably leaving the rsa keys
unencrypted on the remote machine, to allow cron jobs to work smoothly.
Not at all. More advice is always better.
The keys are encrypted.
Some things that can help improve the security of this set up:
* do your scp to an unprivileged user account. root will be able to
read this file without problems anyway.
Noted.
* in the authorized_keys file, limit (man 8 sshd) the commands that may
be run (scp?), source ips (from) of that particular ssh key.
Thanks for this. Found a very good feature that can be included in the
keys, the "found=server ip/name" feature is really cool. Have
implemented it.
* perhaps do some sanity checks/parsing on the copied file, to make sure
that the copied file actually is compliant, has only the acceptable dns
zones and not . (for example)
* optionally add some form of port knocking to your ssh port, and/or run
it on a non-standard port
Runnig on non-standard port currently now. How to do port knocking?
* if we're creating a homebrew way to transfer tinydns zone files,
perhaps googling for tinydns axfr might yield existing good ways to do
so without reinventing the wheel?
Yes I am using tinydns. Using rsync through ssh. Will read more.
Currently using ssh with encrypted keys on non-standard ports.
Once again thank you for the information.
P.V.Anthony
_______________________________________________
Slugnet mailing list
[email protected]
http://www.lugs.org.sg/mailman/listinfo/slugnet
