ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Jan.Mate...@rzf.fin-nrw.de>
Subject AW: Suggestions for sending data to the server
Date Thu, 25 Oct 2007 05:58:15 GMT
Where do <rootssh/> and <rpmssh/> come from?

Jan

>-----Urspr√ľngliche Nachricht-----
>Von: Steve Loughran [mailto:stevel@apache.org] 
>Gesendet: Mittwoch, 24. Oktober 2007 16:27
>An: Ant Users List
>Betreff: Re: Suggestions for sending data to the server
>
>Rob Wilson wrote:
>> Recently I have seen many posts for using SCP to copy files 
>to a remote
>> location, I was intending to invoke an upload servlet to do 
>a similar job -
>> but the servlet would insert some data into a database.
>> 
>> Is it generally recommended to use SCP instead of invoking a 
>servlet?  Any
>> pro's/con's that I should be aware of?
>> 
>> Cheers,
>> Rob.
>> 
>
>ssh/scp is the tool of choice for secure uploads
>
>1. defends against man in the middle attacks, either to grab the 
>passwords or to alter the files.
>2. if you keep the keys on the client system, its pretty easy 
>to automate.
>3. built in to all linux systems
>4. works really well with rsync and ssh
>
>Weaknesses
>-some theoretical work on grabbing passwords (not public/private key 
>pairs) by using timing information
>-too many people accept changed remote keys, when really they should 
>question why their server's key has just changed
>-lots of scanner programs are always trying to break in to 
>port 22 with 
>common logons/passwords.
>-if an exploit is found, it will be very widely exploited.
>
>If you use it, and want to lock it down
>  -run it on a different port from normal
>  -disable root access
>  -set it to use public keys only.
>
>if you wrote your own servlet for uploads you would probably be less 
>secure, and have something you would need to test and 
>maintain. If done 
>over HTTPS, especially with client-side certificates, it would 
>be pretty 
>secure (encrypted traffic, no spoofing of either end). WebDAV is 
>effectively this, so is Atom Publishing Protocol. Otherwise, 
>just handle 
>the POST and PUT requests yourself.
>
>Now, some ant targets to scare people w.r.t ssh and scp, namely how to 
>upload an RPM to a virtualized linux image and test that it installs.
>
>First, an upload creating a clean upload dir and pushing out some rpms:
>
>
>  <target name="rpm-upload" depends="rpm-upload-init" >
>     <rpmssh command="rm -rf ${rpm.full.ssh.dir}/" 
>failonerror="false"/>
>     <rpmssh command="mkdir -p ${rpm.full.ssh.dir}"/>
>     <property name="rpm.ssh.path"
>         
>value="${rpm.ssh.user}@${rpm.ssh.server}:${rpm.full.ssh.dir}" />
>     <scp remoteToDir="${rpm.ssh.path}"
>         passphrase="${rpm.ssh.passphrase}"
>         keyfile="${rpm.ssh.keyfile}"
>         trust="${rpm.ssh.trust}"
>         verbose="${rpm.ssh.verbose}" >
>       <fileset refid="rpm.upload.fileset"/>
>     </scp>
>   </target>
>
>
>Then some target to install the RPMs:
>
>   <target name="rpm-remote-install-all" depends="rpm-upload" >
>     <rootssh command="cd ${rpm.full.ssh.dir};rpm --upgrade --force 
>${rpm.verbosity} *.rpm"
>         outputProperty="rpm.result.all"/>
>     <validate-rpm-result result="${rpm.result.all}" />
>   </target>
>
>Now, a set of ssh scripts to verify that common files and dirs are 
>properly owned/existing:
>
>   <target name="rpm-queries-test" depends="rpm-remote-install"
>       description="check that files and directories belong to 
>the RPMs">
>     <expandingcopy file="${rpm.metadata.dir}/rpm-queries.txt"
>       todir="${build.dir}"/>
>     <rootssh
>       failonerror="true"
>       command="rpm -qf ${rpm.install.dir} ;
>rpm -qf ${rpm.install.dir}/bin ;
>rpm -qf ${rpm.install.dir}/lib ;
>rpm -qf ${rpm.install.dir}/links ;
>rpm -qf ${rpm.install.dir}/links/smartfrog.jar;
>rpm -qf ${rpm.install.dir}/links/sfServices.jar;
>rpm -qf ${rpm.install.dir}/bin/security ;
>rpm -qf ${rpm.install.dir}/bin/metadata ;
>rpm -qf ${rpm.log.dir} ;
>rpm -qf ${rpm.etc.dir} ;
>rpm -qf ${rpm.install.dir}/testCA ;
>rpm -qf ${rpm.install.dir}/private ;
>rpm -qf ${rpm.install.dir}/signedLib ;
>rpm -qf /etc/profile.d/smartfrog.sh ;
>rpm -qf /etc/profile.d/smartfrog.csh ;
>rpm -qf ${rpm.install.dir}/docs ;
>rpm -qf ${rpm.install.dir}/src ;
>rpm -qf ${rpm.install.dir}/src.zip "
>         outputProperty="rpm.queries.results"/>
>
>     <echo>${rpm.queries.results}</echo>
>     <fail>
>       <condition>
>         <or>
>           <contains string="${rpm.queries.results}"
>           substring="is not owned by any package"/>
>           <contains string="${rpm.queries.results}"
>           substring="No such file or directory"/>
>         </or>
>       </condition>
>       One of the directories/files in the RPM is not declared 
>as being 
>owned by any RPM.
>       This file/directory will not be managed correctly, or have the 
>correct permissions
>       on a hardened linux
>     </fail>
>
>
>   </target>
>
>  we look for the error text because <sshexec> in ant1.7 doesnt handle 
>errors from multiple commands correctly -we run through all the rpm -q 
>operations and then validate the output.
>
>
>
>-- 
>Steve Loughran                  http://www.1060.org/blogxter/publish/5
>Author: Ant in Action           http://antbook.org/
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
>For additional commands, e-mail: user-help@ant.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org


Mime
View raw message