[wplug] ssh restrictions
Joe Topjian
joe at portsys.net
Mon Sep 15 20:37:25 EDT 2003
With ssh, you can always create a public key, toss that into the remote
ends authorized_hosts file and now you can ssh/scp/run remote commands
to the remote host without a password.
This sounds cool and all for a number of different things, but is it
possible to place any type of restriction on what is run?
For instance, lets say I wanted to build a nightly backup script. This
script runs a shell script on a remote server that gathers everything,
then I scp it back to me.
ssh root at remote /usr/bin/backup.sh
scp root at remote:/root/backup.tar.gz .
But lets say someone got into my system and somehow figured out that I
have password-less access to a remote host and decided to do a
ssh root at remote rm -rf /
Is there any way to restrict what ssh runs or is used for in a system?
If not, is there any kind of utility or wrapper that will do this?
For instance, you could use tcpserver (http://cr.yp.to/ucspi-tcp.html)
and daemontools (http://cr.yp.to/daemontools.html) that will take any
ol script, and turn it into a server. You connect to that port and it
runs the script. (Kinda like inetd, but more flexible). However, you
now have a bunch of programs listening on ports publicly.
Any ideas?
---
Joe Topjian
email: joe at portsys.net
web: http://zaven.us
More information about the wplug
mailing list