[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Send a remote command?

On Thu, Nov 07, 2002 at 03:39:28PM -0800, nate wrote:
> this is a good method, another is to create passphrase-less RSA(ssh1)
> or DSA(ssh2) keys. that way SSH (either native or using rsync with
> ssh) does not prompt for a password.

Seconded.

> I would only do this on trusted systems however. One slipup can reveal
> your key to an intruder then they have easy access to all the other
> servers.

Then you use a restricted key. Your authorized_keys file at the remote
end looks something like this:

command="bsmtp-pull-server",no-pty,no-port-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA5QLS+9Sxp/F1I3LjTxHoChbw6aK5KchSfoKLOOqXACkGE349LT5Wk9OsUFoHDw/ek8qOvsLoRczpEsaqLmRmueRr2KzXGmfHdKfvPpzv0JkBvloGF71VeE6Z+4ezOqqcjLBiJE3nxUYuR3siR0hAt0g5QURhMl0icEHeyLkuvIU= cjwatson@riva

That allows the named key to connect only for the purpose of running the
command 'bsmtp-pull-server'.

The key should still be kept secure of course, but the consequences of a
compromise aren't quite so bad.

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]
Reply to: