[Gllug] DMZ to inside copy

[Doug Winter]

On Thu 15 Jan Kristian Davies wrote:
> I want copy some log files from a machine in a DMZ.  The only port open is
> ssh.  There are only two users on the box, root and one other, root cannot
> login directly only through the issue of su, the other account does not have
> access to the log directory.  The machine in question does not have access
> to the inside lan.
> 
> What is the best way to automatically grab the log files from another linux
> box in the inside..? :-)

Create an account on the box that has access to the log files.

Create an account on the internal machine, probably with the same name,
that is going to fetch the files.

Generate an ssh keypair for the internal account:

    $ ssh-keygen -t dsa

Now, you can either not give this account a password, or give it a
password and use keychain and the ssh agents to manage it for you.  The
latter is more secure, but a pain because you need to reinitialise the
keys when the machine reboots.

Now copy .ssh/id_dsa.pub to the external machine, and put it in:

    .ssh/authorized_keys

in the new account.  This will allow the internal account to log into
the external machine as this user, without providing a password.

You can now use cron to scp the files to the internal machine.  Ideally
the account on the external machine will have no password, or an invalid
one, so the only way of using it is if you possess the ssh private key
on the internal machine.

doug.

-- 
6973E2CF print 2C95 66AD 1596 37D2 41FC  609F 76C0 A4EC 6973 E2CF
"Like a tramp in the night, I was begging for you"
    -- Samantha Fox

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug