[svlug] Re: Consider my mini-HOWTO
Seth David Schoen
schoen at linuxcare.com
Mon Mar 19 08:34:01 PST 2001
Aaron Lehmann writes:
> On Sun, Mar 18, 2001 at 09:50:41PM +0000, David Madison wrote:
> > 3) The danger of this over rsh is that someone else may beat you
> > to your nc listen port.
> > Consider that I could regularly attempt:
> > % tar czf - etc/passwd | nc vitelus.com 7777
> Yeah yeah, you script kiddie you. Note that nc only accepts one
> connection, so I have an advantage over attackers because there are only
> a few seconds while netcat is listening for connections. But of course
> you're right and this scheme is not for people who don't take marginal
> risks and are shy of firewalls.
A better method is provided by netpipes, which is like netcat but with
more options and features.
You can specify the host and port from which the connection must
originate, among other possibilities. Then the third party
"nc vitelus.com 7777" fails (nc on vitelus.com drops the incoming
connection) because its source address is wrong (unexpected). This is
somewhat akin to part of the behavior of the tcp_wrappers package, but
you can use it in a straightforward way with any command line!
If you don't like that, you could try for your client side
(echo "The magic word is $SECRET"; tar czf - ...)
and for your server side
(head -1 | fgrep $SECRET && tar xzf -)
making sure that SECRET is set the same way on each and that nobody
can observe the command line. (Of course, don't re-use the value of
SECRET, either.) There is still a man-in-the-middle attack possible,
among other things.
Best is to use some cryptography, but how to do this gets back to the
problem of what you need to do. This whole scheme is suggested as a
replacement for scp or for rsync -e ssh -- because it will probably
be faster unless the network is very slow -- so the question is
whether you need authentication, confidentiality, or what, and at what
level, and resistant to what attacks.
My suggestion is still to look at netpipes; you can probably make it
implement whatever solution you settle on in a particular case.
By the way, bash 2.04 has support for the "/dev/tcp" pseudofile, which
is a whole lot like nc -- right inside the shell. I don't think it
can accept incoming connections, though.
Seth David Schoen <schoen at loyalty.org> | And do not say, I will study when I
Temp. http://www.loyalty.org/~schoen/ | have leisure; for perhaps you will
down: http://www.loyalty.org/ (CAF) | not have leisure. -- Pirke Avot 2:5
More information about the svlug