On Thu, 12 Nov 1998, Joe wrote: > Ben: The set-up described there is fairly secure. (Although I'd used > ssh/scp instead of the r_services). The .rhosts files allow "webserver" to > log in from only 1 machine on the INTRA-net, from one specific IP address, > which is protected (presumably) by a firewall. To top it off, the "webserver" > user has no valid shell or password so anyone that gets into the account In my experience with 1.2.x versions of scp, the shell has to be valid in order to actually copy files, as the remote machine also starts an scp process, and from the looks of it sshd calls a shell before executing an scp process. I do not know if 2.0.x version has this "limitation" (we are a commercial site, and ssh 1.2.x works, so why upgrade?) but here is a quick check: This is the server: root@zerkalo:/opt[111]# /usr/local/sbin/sshd -d -p 2000 debug: sshd version 1.2.26 [sparc-sun-solaris2.5.1] debug: Initializing random number generator; seed file /etc/ssh_random_seed log: Server listening on port 2000. log: Generating 768 bit RSA key. Generating p: ......++ (distance 62) Generating q: ..++ (distance 34) Computing the keys... Testing the keys... Key generation complete. log: RSA key generation complete. debug: Server will not fork when running in debugging mode. log: Connection from 204.xxx.xxx.xxx port 36723 debug: Client protocol version 1.5; client software version 1.2.26 debug: Sent 768 bit public key and 1024 bit host key. debug: Encryption type: idea debug: Received session key; encryption turned on. debug: Installing crc compensation attack detector. log: Unknown group id 112 debug: Attempting authentication for radius. log: RSA authentication for radius accepted. debug: Executing command 'scp -v -f /tmp/network.jpg' debug: Entering interactive session. debug: End of interactive session; stdin 1, stdout (read 0, sent 0), stderr 284 bytes. debug: Received SIGCHLD. debug: Command exited with status 255. debug: Received exit confirmation. log: Closing connection to 204.xxx.xxx.xxx root@zerkalo:/opt[112]# cat /etc/passwd | grep ^radius radius:x:504:112:Radius user:/opt/radius:/bin/false root@zerkalo:/opt[113]# This is the client: root@graendel:/tmp[84]# scp -v -P 2000 radiusat_private:/tmp/network.jpg . Executing: host zerkalo.notbsd.org, user radius, command scp -v -f /tmp/network.jpg SSH Version 1.2.26 [sparc-sun-solaris2.5.1], protocol version 1.5. Standard version. Does not use RSAREF. graendel.notbsd.org: Reading configuration data /etc/ssh_config graendel.notbsd.org: Applying options for * graendel.notbsd.org: ssh_connect: getuid 0 geteuid 0 anon 1 graendel.notbsd.org: Connecting to zerkalo.notbsd.org [204.191.124.98] port 2000. graendel.notbsd.org: Connection established. graendel.notbsd.org: Remote protocol version 1.5, remote software version 1.2.26 graendel.notbsd.org: Waiting for server public key. graendel.notbsd.org: Received server public key (768 bits) and host key (1024 bits). graendel.notbsd.org: Host 'zerkalo.notbsd.org' is known and matches the host key. graendel.notbsd.org: Initializing random; seed file //.ssh/random_seed graendel.notbsd.org: Encryption type: idea graendel.notbsd.org: Sent encrypted session key. graendel.notbsd.org: Installing crc compensation attack detector. graendel.notbsd.org: Received encrypted confirmation. graendel.notbsd.org: No agent. graendel.notbsd.org: Trying RSA authentication with key 'stanyat_private Stanislav N. Vardomskiy Dial SA/Joat (613) 566-4918' graendel.notbsd.org: Received RSA challenge from server. Enter passphrase for RSA key 'stanyat_private Stanislav N. Vardomskiy Dial SA/Jot (613) 566-4918': graendel.notbsd.org: Sending response to host key RSA challenge. graendel.notbsd.org: Remote: RSA authentication accepted. graendel.notbsd.org: RSA authentication accepted by server. graendel.notbsd.org: Sending command: scp -v -f /tmp/network.jpg graendel.notbsd.org: Entering interactive session. log: executing remote command as user radius Environment: HOME=/opt/radius USER=radius LOGNAME=radius PATH=/bin:/usr/bin:/usr/ucb:/usr/bin/X11:/usr/local/bin:/usr/local/bin MAIL=/var/mail/radius SHELL=/bin/false TZ=Canada/Eastern SSH_CLIENT=204.xxx.xxx.xxx 36723 2000 graendel.notbsd.org: Transferred: stdin 1, stdout 284, stderr 0 bytes in 0.2 seconds graendel.notbsd.org: Bytes per second: stdin 6.4, stdout 1827.8, stderr 0.0 graendel.notbsd.org: Exit status 255 root@graendel:/tmp[85]# ls network.jpg network.jpg: No such file or directory root@graendel:/tmp[86]# I do not know if having a valid user shell will make a big difference to your security setup, but it does to mine. -- +--------+ My words are my own. LARTs are provided free of charge. +---------+ |Stanislav N. Vardomskiy - NetWinder Rescue HOWTO Maintainer and JOAT at large| | "Backups we have; it's restores that we find tricky" - Richard Letts at asr | | This message is powered by JOLT! For all the sugar and twice the caffeine. | +-----------------------------------------------------------------------------+
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:23:23 PDT