Re: xinetd/rsync

From: Pete Nesbitt (pete_at_linux1.ca)
Date: 12/28/04

  • Next message: Shiraz Baig: "Re: mail delivery on LAN" 
    To: General Red Hat Linux discussion list <redhat-list@redhat.com>
Date: Mon, 27 Dec 2004 16:25:27 -0800

    On December 27, 2004 03:16 pm, Jim B. wrote:
    > I'm trying to setup a pair of servers so that server A rsync's to server B
    > over a dedicated crossover connection they have. The goal is to cron job
    > it and have it work without being prompted for a password. Normally I'd
    > use ssh keys for something like this, only in this case they have a
    > dedicated crossover connection so I feel silly wasting the cpu to encrypt
    > the traffic. Is there a way to use xinetd/tcpwrappers to allow only a
    > specific user the ability to rsync from serverA to serverB without being
    > prompted for a password?
    >
    > Thanks
    > -jim

    HI,
    I believe you can do the access to the server via TCPwrappers ("man 5
    HOSTS_ACCESS"), but it may be simpler with PAM.

    I have a doc that describes how to do this via PAM.
    Look at:
    http://www.linux1.ca
      -select Documents
        -select "Limiting SSH Access"
     look at the section "PAM access control"

    note, that you still need to authenticate the SSH session, so you'll need a
    key (or an account with no password [no!]), unless you used rhost (not
    normally a good choice). If you had an account with rhost access from Server
    A to Server B, and restricted the rhost access to use Server B as a host...
    well, it is still pretty risky, probably not worth the cpu savings. You could
    use IPtables to restrict ssh based on MAC address and interface, but that
    would really limit server maintenance etc (won't work if going thru a
    router).

    hope that helps. 

    -- 
Pete Nesbitt, rhce
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
  • Next message: Shiraz Baig: "Re: mail delivery on LAN"

    Relevant Pages

    • Re: Allowing user w/out local account to log in
      ... We want to allow any user to remotely SSH into our server. ... I have a bare-bones PAM module that supports all four services; ... So how would one allow a user that did not have a local account to get ...
      (comp.security.ssh)
    • Re: ssh -t <host> /bin/sh trick (was Re: ftp access)
      ... I'm using an older setup (2.2.8 client, 3.4 server), both ... I'm not use OpenSSH and/or PAM with SSH on my box, ... with "unsubscribe freebsd-security" in the body of the message ...
      (FreeBSD-Security)
    • Allowing user w/out local account to log in
      ... We want to allow any user to remotely SSH into our server. ... I have a bare-bones PAM module that supports all four services; ... Here's the syslog output (my ...
      (comp.security.ssh)
    • Re: Trouble with X11 over SSH on Mandriva 2010.0
      ... If next clean install/update causes ssh to break, ... installed the sshd daemon/service package (OpenSSH Server) on the server. ... correct values for client and server. ...
      (comp.os.linux.networking)
    • Re: Apache Software Foundation Server compromised, resecured. (fwd)
      ... this was one "result" of the comromised ssh binary at sourceforge. ... a public server of the Apache Software Foundation ... > (ASF) was illegally accessed by unknown crackers. ... > exhaustive audit of all Apache source code and binary distributions ...
      (FreeBSD-Security)