topic Re: using ssh/scp/sftp in Operating System - HP-UX

using ssh/scp/sftp

Ahmed_58 — Tue, 14 Apr 2009 06:31:29 GMT

Dears,
I generate a key from server A as root user and copy to server B authorize_key. and now I can send files from A to B, but: I'm littel warried:
1. can server B access to server A?
2. can server B send files to server B?
basiclly I want only server A to send files to server B, and not allow server B to access.
thanks
Ahmed

Re: using ssh/scp/sftp

Steven Schweda — Tue, 14 Apr 2009 06:35:18 GMT

> 1. can server B access to server A?

Have you tried it? (What happened?)

> 2. can server B send files to server B?

Have you tried it? (What happened?)

Re: using ssh/scp/sftp

Ahmed_58 — Tue, 14 Apr 2009 06:40:17 GMT

Hi,
will, I dont have access to server B. I only pass the key to other end Administrator.

Rgds,
Ahmed

Re: using ssh/scp/sftp

Matti_Kurkela — Tue, 14 Apr 2009 08:09:19 GMT

The SSH keys are user-specific.

Nobody on server B can access server A because of this key in any way.

With your setup, the root user (and nobody else) on server A can both "push" and "pull" files:

From A to B:
serverA> scp /some/file.txt serverB:/some/dir

From B to A:
serverA> scp serverB:/some/file.txt /some/dir

If the key was copied to the authorized_keys file of a non-root user on server B (for example "userB"), you should be aware of two things:

- You must always specify the target username when accessing server B:

scp /some/file.txt userB@serverB:/some/directory

sftp userB@serverB

If you don't specify the username, the default is the same username as you're using on server A (i.e. root). If you don't know the correct username on server B, ask the administrator of server B: there is no way you can find it out on your own except by blindly trying all possible usernames.

- On server B, you can only access the directories userB has access to. You don't automatically have root access on server B just because you are root on server A.

If you want to allow a non-root user on server A to do the copying, you don't need to create new keys: you can just copy the /root/.ssh/id_* files to the ~/.ssh directory of that user and chown the key files to that user. Of course, if you have set a passphrase to that key, you must then allow the user to know the passphrase.

(A good security principle: always use the lowest privilege level that is adequate for the job. If there is a malfunction or an attack, this limits the amount of damage that can be caused.)

Make sure that the private key file is never readable by anyone other than its owner. Otherwise the SSH tools will regard the key as "unsafe" and won't use it.

MK

Re: using ssh/scp/sftp

Ahmed_58 — Tue, 14 Apr 2009 08:34:07 GMT

Thanks Matti,

It is claer now to me,...

The reasone I generate a key with a root id, is because with any other user-id key I'm getting prompt for a passowrd to be entered on server B when using scp.
any idea way?

Ahmed

Re: using ssh/scp/sftp

Suraj K Sankari — Tue, 14 Apr 2009 08:45:05 GMT

Hi,
>>1. can server B access to server A?
No its not possible
>>2. can server B send files to server B?
Why you need this because your file is already into server B.

>>The reasone I generate a key with a root id, is because with any other user-id key I'm getting prompt for a passowrd to be entered on server B when using scp.

hey you can create this key with other user-id also by doing the same procedure you can create normal users passwd less key.

Suraj

Re: using ssh/scp/sftp

Ahmed_58 — Tue, 14 Apr 2009 08:50:23 GMT

Suraj,
Yes I did create a key with other user-id but when trying to scp server B I'm prompt to enter the password, but not if I'm a root.

hope it is clear

Ahmed

Re: using ssh/scp/sftp

Matti_Kurkela — Tue, 14 Apr 2009 09:16:56 GMT

The most common cause for SSH key authentication problems is too much file permissions.

If the home directory of the non-root user has "group write" or "everyone write" permissions, the ssh client will regard the home directory as "unsafe" - even if nobody other than this user belongs to the group. The client will refuse to use unsafe private keys.

Maximum recommended permissions so that ssh key authentication still works:

User's home directory:
chmod 755 or drwxr-xr-x
The directory must be owned by this user or root.
(If you need group-writable directories, you can create writable sub-directories within the home directory.)

~/.ssh directory:
chmod 700 or drwx------
The directory must be owned by this user or root.

~/.ssh/id_* files and ~/.ssh/authorized_keys file:
If the files exist, they must be owned by this user or root. File permissions of the private key files must be chmod 600 or -rw-------.

MK

Re: using ssh/scp/sftp

Ahmed_58 — Tue, 14 Apr 2009 09:26:41 GMT

thanks all, will try to work with permissions now.