BackupPC-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [BackupPC-users] Unable to read 4 bytes

2014-11-11 04:29:39
Subject: Re: [BackupPC-users] Unable to read 4 bytes
From: Mauro Condarelli <mc5686 AT mclink DOT it>
To: Holger Parplies <wbppc AT parplies DOT de>, "General list for user discussion, questions and support" <backuppc-users AT lists.sourceforge DOT net>
Date: Tue, 11 Nov 2014 10:27:47 +0100 
Il 08/11/2014 17:20, Holger Parplies ha scritto:
> Hi,
>
> Mauro Condarelli wrote on 2014-11-07 22:45:53 +0100 [Re: [BackupPC-users] 
> Unable to read 4 bytes]:
>> [...]
>> What follows is what I use to setup a key exchange,
> I don't believe that's completely true ;-).
AAARRGGHH!!

Sorry, my bad.
This is what happens when you write from memory without actually 
cutting&pasting.
OF COURSE you have to distribute your PUBLIC key and keep your private key 
PRIVATE!

Shame on me.

>
>> obviously there are zillions ways to do the same.
>>
>> backuppc@server:~$ scp .ssh/id_dsa mcon@mailgate:/tmp/backuppc AT server DOT 
>> key
> Actually, you need the *public* key on the client (".ssh/id_dsa.pub"), not the
> private key. More than that, you *should not have* the private key on the
> client machine. Conceptionally, possession of the private key is considered as
> proof for being the legitimate BackupPC server. The client machine isn't the
> legitimate BackupPC server, so it shouldn't be able to prove it is :-).
>
> Additionally, I would advise against temporarily storing the key - even the
> public key - in /tmp. You are later going to do (and this only makes sense if
> it actually was the public key you transferred) ...
>
>> [...]
>> root@mailgate:~/.ssh# cat /tmp/backuppc\@server.key >>authorized_keys
> So, while the public key is not sensitive information (you could theoretically
> post it on this list, though there is no point in actually doing that), anyone
> who might have been able to *modify* it in the mean time (e.g. symlink attack)
> would be tricking you into putting *his* key into root's authorized_keys,
> thereby gaining root access to the machine.
>
> Strictly speaking, we should also make sure root's authorized_keys file is not
> writable for group and others. Usually, root's umask and/or the pre-existance
> of the file will take care of this, but it *is* something that would prevent
> public key authentication from working.
>
>> At this point You should be able to do:
> backuppc@server:~$ ssh root@mailgate /bin/true
> backuppc@server:~$
>
> (this is my preferred example, because it also tests that no extraneous output
> is generated).
>
> Regards,
> Holger


------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [BackupPC-users] Unable to read 4 bytes, Les Mikesell
Next by Date:  Re: [BackupPC-users] Unable to read 4 bytes (No Ping), tschmid4
Previous by Thread:  Re: [BackupPC-users] Unable to read 4 bytes, Les Mikesell
Next by Thread:  Re: [BackupPC-users] Unable to read 4 bytes, tschmid4
Indexes:  [Date] [Thread] [Top] [All Lists]