Need ideas: moving stuff to server

David A. Bandel david
Sat May 14 15:17:36 PDT 2005 

Regurgitating the prose of Michael Hipp Michael Hipp <Michael at hipp.com>
on Sat, 14 May 2005 13:36:23 -0500:

|David A. Bandel wrote:
|> Don't make is easy, do you?  But if you can ssh in then become root,
|> what's the difference?  If you're worried about dictionary attacks
|> against ssh as root, why not just disable password logins and only
|allow > via authorized_keys?  That would fix several problems in one
|step.
|
|I don't allow password logins nor do I allow root login. Only to bona 
|fide users and only with private keys. Forces the attacker to know a 
|*lot* to even begin to mount an attack.
|
|> Otherwise, I'd say you need to get a root key from the other system
|onto > your box as an authorized key, then put a script (mynewfile.sh)
|on the > other box that would take as arguments:  your IP, script name
|(full > pathed on your box), path where you want the script to go,
|permissions > for file.  Then just: ssh server mynewfile.sh mybox
|/home/me/myscript > /etc/init.d/myscript 755 <enter>
|
|Ok, I can imagine a script that does such. But how do I cross the "su" 
|barrier. I issue a command on the client that starts a script on the 
|server with several params sent across. But the script is running as
|me. 
|  How I enable it to do su things automatically?

When you use ssh to run a script, it's as if you're running the script
on that system, just that ssh exits after the command finishes.  IIRC,
su works within a script prompting you for your password.  Same will
happen doing this via ssh.  Think of: ssh <server> <command> like this:
ssh <server> (login to server)
command
exit

Everything from the server comes back to the client.  The connection
remains open during the entire exchange.  So if you have a command that
takes 30 minutes to complete, your ssh session will remain connected
during that time.  ssh != telnet.

Ciao,

David A. Bandel
-- 
Focus on the dream, not the competition.
		Nemesis Racing Team motto
GPG key autoresponder:  mailto:david_key at pananix.com

More information about the Linux-users mailing list