l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
November 4: Social gathering
Next Installfest:
TBD
Latest News:
Oct. 10: LUGOD Installfests coming again soon
Page last updated:
2006 Jan 06 14:14

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] [OT] Pumping a password using Expect
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] [OT] Pumping a password using Expect



Quoting Matt Roper (matt@mattrope.com):

> On the topic of ssh keys, does anyone know if it's possible to create
> a key that is restricted to use for scp and can't be used to execute
> any commands?

Yes, I do know that it's possible.

{skipping a beat}

Oh, wait, you wanted details, too?  ;->

Actually, what I know is how to lock an ssh keypair to exactly one
command string.  The canonical need for this technique is within a 
backup / mirroring task run by crond, copying files from an untrusted
host over network transport to a trusted one:  Someone who compromises
the untrusted host can't use his half of the locked keypair to do
anything but another backup run.  Consequently, said key can't be used
to harm (let alone break into) the trusted box.

True paranoics would have the backup target directory be on its own
filesystem, preventing bad guys overfilling the target host (using the
backup script _as_ a DoS).

The key-handling technique:  "SSH Public-key Process" on
http://linuxmafia.com/kb/Security/

-- 
Cheers,
Rick Moen                            Recidite, plebes!  Gero rem Imperialem!
rick@linuxmafia.com
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.