On 29/05/14 12:22, Chris Green wrote:
I want to copy files from a BeagleBone Black (running Ubuntu) to my home dmz system. This has got to work unattended as the BBB is sat on our boat moored on the Somme. It's also got to be a 'push' from the BBB as it's connected via WiFi and while I can connect to it through an ssh tunnel copying files via that connection would be decidedly tricky.
So, as I see it, I have two obvious options:-
1 - Set up a public key login for the BBB on my dmz that requires no passphrase, so it's effectively passwordless. Then the BBB can run rsync to copy the files. The security hole in this approach is that if someone accessed the BBB then they could login to the dmz without further difficulty.
2 - Run an rsync daemon on the dmz and copy the files by connecting to this from the BBB. The advantage is that someone at the BBB end can't do anything but copy files (and I can limit what can be copied with the rsyncd configuration), the disadvantage is that the connection isn't encrypted at all.
There's nothing valuable in the files, they're just temperature and electrical measurements from the boat so I don't care at all about the files being visible to the world. My security concern is to minimise the risk of someone getting into my dmz system. OK, it's a dmz and it's just a Raspberry Pi so is hardly full of valuable data but it would be a nuisance and *might* be a jumping off place for further nefarious deeds.
I guess I'm being a bit paranoid really, the BBB on the boat is headless and anyone breaking into the boat is hardly likely to be an accomplished Linux hacker. Option 1 above is certainly the easiest as rsync daemon takes a bit of setting up. Are there any really obvious flaws - is it only really vulnerable to someone who accesses the BBB?
There is an option 3 but it's more difficult to set up, I could implement a passphraseless rsync connection from the BBB to the dmz that only allows rsync file copying to a specific directory. I've done this on one other system and it works pretty well (you do it by adding a command= at the front of the authorized_keys file) but like the rsync daemon it takes a bit of setting up and I'm wondering if it's worth the effort.
Any comments anyone? Are there more obvious and/or easier ways of copying files without making systems vulnerable to other attacks?
Perhaps it's a silly question, but why rsync? Is it that you do not know the file names, but do know the destination directory? I'm just asking because there's always scp (secure copy), or sftp/ftp (secure/ File Transfer Program).
If the data is not confidential, then why are you trying to copy it in a confidential way? Could you upload it to a webserver somewhere, a dropbox or a cloud server if you have one. Even email the files to yourself?
Are you the chap who has to ssh from home to an intermediate cloud server and also ssh from the boat to the same server to get a connction? If that's the case, and if you can configure the cloud server, could you do a double rsync?
1) scheduled rsync 1 Boat -----> rsync ---> Cloud
2) scheduled rsync 2 Cloud ----> rsync ---> Home
3) Cronjob to delete files older than X days on Boat.
Any of that any use? Steve