[wplug] ssh restrictions
Lance Tost
ltost at pobox.com
Tue Sep 16 09:34:02 EDT 2003
Set up key-based authentication so no password is required. Then on the
remote side, in ~/.ssh/authorized_keys, add the following before the key:
command="/path/to/whatever/command args"
man sshd and search for "command=".
On Mon, 15 Sep 2003, Joe Topjian wrote:
> Date: Mon, 15 Sep 2003 20:37:25 -0400
> From: Joe Topjian <joe at portsys.net>
> Reply-To: wplug at wplug.org
> To: wplug at wplug.org
> Subject: [wplug] ssh restrictions
>
> With ssh, you can always create a public key, toss that into the remote
> ends authorized_hosts file and now you can ssh/scp/run remote commands
> to the remote host without a password.
>
> This sounds cool and all for a number of different things, but is it
> possible to place any type of restriction on what is run?
>
> For instance, lets say I wanted to build a nightly backup script. This
> script runs a shell script on a remote server that gathers everything,
> then I scp it back to me.
>
> ssh root at remote /usr/bin/backup.sh
> scp root at remote:/root/backup.tar.gz .
>
> But lets say someone got into my system and somehow figured out that I
> have password-less access to a remote host and decided to do a
>
> ssh root at remote rm -rf /
>
> Is there any way to restrict what ssh runs or is used for in a system?
> If not, is there any kind of utility or wrapper that will do this?
>
> For instance, you could use tcpserver (http://cr.yp.to/ucspi-tcp.html)
> and daemontools (http://cr.yp.to/daemontools.html) that will take any
> ol script, and turn it into a server. You connect to that port and it
> runs the script. (Kinda like inetd, but more flexible). However, you
> now have a bunch of programs listening on ports publicly.
>
> Any ideas?
>
> ---
> Joe Topjian
> email: joe at portsys.net
> web: http://zaven.us
>
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
>
--
Lance Tost <ltost at pobox.com>
More information about the wplug
mailing list