[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cfengine, firewall and security
|
From: |
Sharif Nassar |
|
Subject: |
Re: cfengine, firewall and security |
|
Date: |
Fri, 10 Nov 2000 17:23:17 -0800 (PST) |
personally, i'm swimming in cpu cycles, and I don't trust the internet.
ssh and RSA are not panacea by any means, but it's just one part of real,
comprehensive security. If we ever start pushing password files, or
proprietary stuffs across the wire, we want the stream encrypted. (plus,
if everything is encrypted, it's hard for the bad guy to find the rare,
important stuffs).
so, we have the master server push automagically, using rsync using ssh
using rsa AND the authorized_keys is for a specific user that can only run
one command.
(eg: an authorized hosts for a user might look like this:
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="rsync
--server -vlogDtprC . /target/dir" <rsa key here>
)
then the master server, safe behind a firewall calls:
rsync --rsh=ssh -C -a /source/dir user@slave_server:/target/dir
-sharif
On Fri, 10 Nov 2000 Mark.Burgess@iu.hio.no wrote:
> On 9 Nov, Dan Bethe wrote:
> >> There seems to me to be considerable merit to the idea of using rsync
> >> to distribute the files; that provides two things:
> >
> > That's a fine idea, Christopher. I'd like to add that rsync can use
> > ssh as its transport (--rsh=ssh) and that ssh can use RSA as its
> > authentication method. But I'm sure you knew that. :)
> >
>
> I sometimes despair over the popular belief that RSA encryption equals
> security. While I agree that RSA is useful and that rsync is efficient,
[snip]
- cfengine, firewall and security, Patrice GUERLAIS, 2000/11/09
- Re: cfengine, firewall and security, Mark R. Lindsey, 2000/11/09
- RE: cfengine, firewall and security, Dan Bethe, 2000/11/09
- Re: cfengine, firewall and security, Dan Bethe, 2000/11/10
- Re: cfengine, firewall and security, Dan Bethe, 2000/11/10