[vox-tech] [OT] Pumping a password using Expect
Rick Moen
rick at linuxmafia.com
Fri Jan 6 12:57:47 PST 2006
Quoting Matt Roper (matt at mattrope.com):
> On the topic of ssh keys, does anyone know if it's possible to create
> a key that is restricted to use for scp and can't be used to execute
> any commands?
Yes, I do know that it's possible.
{skipping a beat}
Oh, wait, you wanted details, too? ;->
Actually, what I know is how to lock an ssh keypair to exactly one
command string. The canonical need for this technique is within a
backup / mirroring task run by crond, copying files from an untrusted
host over network transport to a trusted one: Someone who compromises
the untrusted host can't use his half of the locked keypair to do
anything but another backup run. Consequently, said key can't be used
to harm (let alone break into) the trusted box.
True paranoics would have the backup target directory be on its own
filesystem, preventing bad guys overfilling the target host (using the
backup script _as_ a DoS).
The key-handling technique: "SSH Public-key Process" on
http://linuxmafia.com/kb/Security/
--
Cheers,
Rick Moen Recidite, plebes! Gero rem Imperialem!
rick at linuxmafia.com
More information about the vox-tech
mailing list