1

We have a data processing workstation that's shared by a number of users. I would like to set up a script on that machine to process my data and then copy it it back to my personal machine afterwards.

I recently learned about ssh public key authentication, so my first thought was to just add the public key of that machine to my authorized_keys file and add an scp command to my script. However, this makes it that anyone on that machine can just ssh into my machine, if they know my machine's ip address. What's the proper way to securely set this sort of thing?

eykanal
  • 335
  • 1
  • 2
  • 13
  • 1
    If everyone has their own account on the data processing workstation (DPW) and they don't have root access, they won't be able to access your DPW user's private/public key. – gravyface May 02 '11 at 17:19
  • Unfortunately, everyone uses a single login, and that's not going to change. – eykanal May 02 '11 at 17:32
  • how long do the jobs take and how much data are we talking about here? – gravyface May 02 '11 at 17:38
  • The jobs will take ~45±15 minutes, depending on the dataset. We're talking around 15 GB of data to transfer after processing. – eykanal May 02 '11 at 17:40
  • Is there a common directory where every user's processed data is moved to or does everyone have their own directory, filename prefix (i.e. eykanal-job.txt), etc.? – gravyface May 02 '11 at 18:14

3 Answers3

1

What you may be able to do is set up public key authentication going the other way; viz., create a keypair on your personal machine and add the public key to the data processing workstation's authorized_keys.

The data processing would be initiated by ssh'ing to the DP workstation , running the command, and then copying it back. E.g.,

#!/bin/sh

ssh common@dp /path/to/process_data_script
scp common@dp:/path/to/data /copy/here
Mark Wagner
  • 18,019
  • 2
  • 32
  • 47
0

Since the Data Processing Workstation (DPW) wasn't setup properly for multi-user access and you have no plans to do so, then you may have better luck doing a pull vs. a push of your processed data: i.e. you can either have your DPW job send you an alert via email and then you manually SFTP/SCP into the DPW and fetch your processed data or you can use rsync to do a "dumb" pull of the DPW "data processed" folder to a source folder on your machine (with the option of --remove-sent-files to remove the DPW data after transfer) periodically, say every hour.

gravyface
  • 13,957
  • 19
  • 68
  • 100
0

First, the private key should have permissions 0600 so that it is only readable by you (or root users on the box).

Private keys usually have passphrases so that idle meddlers can't use them, but this doesn't work for scripting. One way to deal with this vulnerability is to setup another account that ONLY has access to and permissions necessary for the things it needs to do.

Lastly, consider doing this action the other way around. Have your trusted machine fetch the data from the other shared machine. The direction you suggest is more vulnerable. If you like you can setup some sort of signal script so that the remote machine can say "hey I'm done, come and get it" and your local machine can fire off a job to do the transfer.

Caleb
  • 11,813
  • 4
  • 36
  • 49