-
October 26th, 2004, 06:18 PM
#1
scripting secure file transfers?
Does anyone know of a way to script secure file transfers that run automatically?
I support an output management system that can transfer print jobs to a system instead of a printer using FTP and a plain-text password file. Basically, when you send a print job to a queue that is an FTP destination, the output managment system kicks off a Perl script using the Net::FTP module to transfer the file, and it references the plain-text password file for the appropriate password for the destination system. The whole system right now makes me sick because of the plain-text passwords, and I'm trying to get around it by using scp instead. I'm having trouble getting around the password problem, though. It thought about including a line at the head of the Perl script to start an ssh-agent and run ssh-add to add an RSA or DSA authentication key created without a passphrase, but that would greatly compromise the account this is running under. Any other suggestions? This script has to be able to run automatically, without intervention.
/* You are not expected to understand this. */
-
October 26th, 2004, 06:40 PM
#2
Actually,
You can use net::scp and an RSA key or just execute scp...
An easy method is to add a non-priv user, set up RSA/DSA keys, Then within the key(.ssh/authorized_keys)make some modifications like command=, from=, and various things like that before the key.
EX:
command=*cat >> pflog*,from=*firewall*,no-port-forwarding,
no-X11-forwarding,no-agent-forwarding,no-pty 102435823048999354794546
387730268448993843509453678937752623781590692383465714412310547850845
002743725739940385332209432179012664317663101851362676488696898502309
227231929637769105487294380073461038245801883934544973368435992775028
741798113678310035476893561892917648628649037238909042041894298934725
815994839373584 root@firewall
man sshd to get the full details about locking it down. I've done this for firewall logging, and never had any issues.
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
-
October 26th, 2004, 06:57 PM
#3
That's great info, hogfly, thanks! The only problem I see is the output management system I'm using will kick this Perl script off as a fork, so the user running the script will be the same user the system runs under. I may be able to get away with setting the script to swich user id's upon execution (suid), but that may be prohibited by the local configuration of the HP-UX kernel (on the host system). This method may be the best way around this. Many thanks again for your help!
/* You are not expected to understand this. */
-
October 27th, 2004, 02:55 AM
#4
what i have done to script my sftp transfers it to first setup a PKI and then once that is done, sftp has the ability to have batch transfers for example,
first you would spread around your public key and get that communication working,
then you would write your sftp batch file
ex (i don't know if this works, i am just making it up for an example so you see what i mean):
lcd /usr/dudeman/transfer
put *
quit
then you would run sftp with the batch flag (either -b or -B depending on openssh or ssh.com)
you could then cron the whole thing and you would have a daily auto sftp transfer
seeing that you have HP-UX, i am going to assume that you are running openssh like we are. if you don't want to use public key passwordless, then you could also use the ssh agent (if you don't already know how): http://www.cs.berkeley.edu/~dtliu/sshinterop.html
[gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM
-
October 27th, 2004, 03:09 AM
#5
roswell: I'd also suggest you learn to love expect. once you start using it..you'll wonder why you didn't start sooner.
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
-
October 27th, 2004, 05:12 PM
#6
Oh, I DO love expect, but in this case it's not really practical. This script needs to be run autonomously, and I'm not about to hardcode a password into this thing. I think the best way to do this is to use the limitations in the authorized_keys file to greatly reduce the accessibilty through a passwordless transfer.
/* You are not expected to understand this. */
-
October 27th, 2004, 07:26 PM
#7
Expect is not the answer.
The answer is to configure ssh so that you can connect with no password using public key authentication (i.e. the local private key is stored unencrypted).
Then you can scp all you like without being prompted for anything, and it will all be done through secure communications.
Slarty
-
October 27th, 2004, 08:02 PM
#8
It was one suggestion..that's all. Hence why I gave the ssh answer first, because that's the way to do it that makes the most sense..
*shrug*
good luck roswell
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
-
October 28th, 2004, 03:37 AM
#9
Originally posted here by slarty
Expect is not the answer.
The answer is to configure ssh so that you can connect with no password using public key authentication (i.e. the local private key is stored unencrypted).
Then you can scp all you like without being prompted for anything, and it will all be done through secure communications.
Slarty
I suggest using ssh-agent since:
- you can have your local private key stored encrypted with a passphrase you chose
- still you need only to be prompted once for the passphrase
Authentication data need not be stored on any other machine, and authentication passphrases never go over the network. However, the connection to the agent is forwarded over SSH remote logins.
Run ssh-agent to run the agent and ssh-add to add your local encrypted private key.
Peace always,
<jdenny>
Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|