Currently I have a script running which uses ssh to run a script with an argument to another machine. I was wondering if there is a more secure way of doing this? I've set it up so that the ssh user doesn't have sudo rights or anything like that but i'm not entirely comfortable with having a public facing server have ssh access to a machine on my secure network.
Ultimately it's not a serious risk, I'm just interested in if there is a better way of doing it.
Which is public and which is the secure network?
(i assumed the machine your sshing from is the secnet)
The machine connecting is public and the one being connected to is private.
I'm already using keys instead of passwords and the firewall only allows explicitly allowed traffic between networks. There are only a couple of things on the public network which can access resources on the private network, mostly just samba, but ssh makes me uncomfortable.
Sorry, not exactly sure what you mean here.
I was meaning dont allow SSH back out, but consider it not valid, since I was thinking the other way around on what was where.
Selinux or similar will help securing it, its a must in my opinion.
You can keep your keys on a usb or secure usb/smart card.
Thanks, I'll have a look at that.
Usually SSH is the best option but it depends what the script is doing. Can you post the script or outline what it does?
The script takes files from a drop off point and moves them to where they will be stored. The public server only has the key to login to the private server as a user with limited access, and it's not a web server or anything particularly vulnerable so I'm not too worried about it getting hacked. I'm just interested in if there is a better way of triggering a script to run remotely other than using SSH.
Any reason not to schedule this? If you can't schedule it and don't want to use SSH you could trigger it with a HTTP(S) GET.
Scheduling would work but the reason I've done it this way is to have the files available as soon as they're finished being processed by the first server. HTTP is something I was thinking of trying, but I don't know much about it. I'll have a look in to it, thanks.
This is more a powershell term, but I think bash has a similar command: invoke-command
You can point that towards a script file in powershell and run it. Should be similar.
For shell scripts I'd stick with SSH, if you want to make your activity less transparent use VPN, something like n2n is nice for this IMO (SSH over shared key overlay network)
You could expose your script almost as-is via cgi, you'd just need to parse the URL and extract a key in Bash or whatever you've used, because SSH is doing that for you now. From memory the safest way was to put the key into a file and use diff, rather than use string operations in the script.
What user is the script running as? You can limit the users that ssh allows you to login as. You can also create a special user without any permissions and configure your sudoers file so that the user is allowed to run your script as the user it is supposed to run as but nothing else.
For example:
/etc /sudoers: sshuser ALL=(userwhorunsscript) /path/to/script
/etc /ssh/ sshd_config: AllowUsers sshuser
More about sudo configuration:
https://wiki.archlinux.org/index.php/sudo#Configuration
Can you limit ssh to only allow logins from specific user and host combinations? I really like the sudo idea, it means I can keep the file ownership without having to have the remote machine login as that user, as well as using a ssh user with no other rights.
Do you mean so that is blocks incoming connections from all hosts other than your own? I don't think that's a future of Open SSH but you can configure that in the firewall.
Example with iptables:
1. iptables -A INPUT -s [accepted host IP] -j ACCEPT
2. iptables -A INPUT -s 0.0.0.0/0 -p tcp --destination-port 22 -j DROP
Ofcourse, you can get around this by spoofing your ip but it will prevent automated attacks and is probably a good thing if their is a zero day in Open SSH.
I have a firewall set up but what I mean is is there a way to have it so that for a given host it is only allowed to login with a certain user? Ie. ComputerX can only log in as userX but computerY can log in as any user? I know that this is what authentication is for but Im just interested if this is a thing. I haven't seen anything like that in the config so I doubt it.
Is it possible to have different server config for different hosts? I feel like I saw something like that in the config.
I don't think something like that exists but I suppose you could just run two servers.
Yeah I didn't think so.