help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cfengine, firewall and security


From: Sharif Nassar
Subject: Re: cfengine, firewall and security
Date: Fri, 10 Nov 2000 17:23:17 -0800 (PST)

personally, i'm swimming in cpu cycles, and I don't trust the internet.
ssh and RSA are not panacea by any means, but it's just one part of real, 
comprehensive security.  If we ever start pushing password files, or
proprietary stuffs across the wire, we want the stream encrypted.  (plus,
if everything is encrypted, it's hard for the bad guy to find the rare,
important stuffs).

so, we have the master server push automagically, using rsync using ssh
using rsa AND the authorized_keys is for a specific user that can only run
one command.

(eg: an authorized hosts for a user might look like this:
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="rsync
--server -vlogDtprC . /target/dir" <rsa key here>
)

then the master server, safe behind a firewall calls:

rsync --rsh=ssh -C -a /source/dir address@hidden:/target/dir


-sharif

On Fri, 10 Nov 2000 address@hidden wrote:

> On  9 Nov, Dan Bethe wrote:
> >> There seems to me to be considerable merit to the idea of using rsync
> >> to distribute the files; that provides two things:
> > 
> >     That's a fine idea, Christopher.  I'd like to add that rsync can use
> > ssh as its transport (--rsh=ssh) and that ssh can use RSA as its
> > authentication method.  But I'm sure you knew that.  :)
> > 
> 
> I sometimes despair over the popular belief that RSA encryption equals
> security. While I agree that RSA is useful and that rsync is efficient,

[snip]




reply via email to

[Prev in Thread] Current Thread [Next in Thread]