[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: allowing users to update stuff on the server



also sprach Colin Watson <cjwatson@debian.org> [2003.01.16.1807 +0100]:
> Well, it is possible to have the key fingerprint logged; see the last
> message of #75043. However, that probably isn't what you want.

It would result in a hacked solution...

> I think you should use a forced command in authorized_keys. For example,
> I have one such file that contains this line:
> 
>   command="userv dyndns dyndns dynamic.greenend.org.uk riva",no-pty,no-port-forwarding 1024 35 145413580969648476044072749424723997577855609708600898296078782540051360757631277317814917027038279588528053774482503019012709429846592053864406645721891713477828254982531683029630103055847963503784826642231356729554071003805850344215815518908121062306905784894054069613278599523363884251674573384786501899737 cjwatson@arborlon

I am aware of this form but it

 (a) limits each key to only be usable to update one domain
 (b) forces me to do administration in the authorized_keys file, which
     I'd rather not.

> If you need security between users as well, then using userv as above
> may help. Give them each their own account, if necessary disabled except
> for a single authorized_keys entry with a forced command.

I don't really want to hand out that many accounts, and if it's just
because of naming and administrative issues...

Damnit, this is harder than I want it to be.

-- 
Please do not CC me! Mutt (www.mutt.org) can handle this automatically.
 
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, and user
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
NOTE: The pgp.net keyservers and their mirrors are broken!
Get my key here: http://people.debian.org/~madduck/gpg/330c4a75.asc

Attachment: pgpDjBsqwLtSj.pgp
Description: PGP signature


Reply to: