rsync // su

jw schultz jw at pegasys.ws
Fri Sep 5 13:52:25 EST 2003 

On Thu, Sep 04, 2003 at 11:36:31PM -0400, Carson Gaspar wrote:
> 
> 
> --On Friday, September 05, 2003 12:45 PM +1000 Martin Pool 
> <mbp at sourcefrog.net> wrote:
> 
> >On  4 Sep 2003 Atom 'Smasher' <atom at suspicious.org> wrote:
> >
> >>obviously, allowing root logins through ssh (or any protocol, really)
> >>is best avoided.
> >
> >Can you explain why you hold that opinion?
> 
> Speaking as a security weenie, the problem is the utter lack of an audit 
> trail. "root" isn't a person, it's a role. If you allow direct role logins, 
> you have no idea what person is responsible.
> 
> I don't, however, think that the rsync protocol is the right place to fix 
> it(speaking about normal rsync +rsh/ssh/whatever, not the rsync daemon). 
> Fixing the security issues with the daemon is a much more difficult 
> proposition.
> 
> Possible options:
> 
> - Don't allow root to log in, require su, sudo, or a similar mechanism 
> (such as RBAC in Solaris). This makes rsync unhappy.
> 
> - Create multiple UID 0 accounts, one per person. Works, but not the most 
> manageable of solutions.
> 
> - Only allow root logins from cryptographically authenticated trusted 
> hosts. This assumes you can trust the audit logs of host A to figure out 
> who logged in to host B. Current SSH implementations are less than stellar 
> about this, but the protocol does allow it.
> 
> - Allow cryptographically authenticated remote users (such as kerberos 
> roles - user.admin at dom.ain) to log in as role accounts. Sadly, I don't know 
> of anything but kerberos that really does this well. SSH can do something 
> similar using RSA/DSA auth and logging the key fingerprint.
> 
> - Allow role based logins based on user credentials (via PAM/NSS, or other 
> mechanisms). I'd log into the remote host as root, be authenticated as 
> carson, but logged in as root. The usual way to shoehorn this in is to 
> overload the username (e.g. log in as the user root/carson).

Rsync is pretty agnostic about how the connection is
established.  If ssh doesn't support a security mechanism
you find sufficient you need merely to create a utility that
provides that subset of rsh/ssh functionality required by
rsync.

-- 
________________________________________________________________
	J.W. Schultz            Pegasystems Technologies
	email address:		jw at pegasys.ws

		Remember Cernan and Schmitt

More information about the rsync mailing list