[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#112020: ITP: keychain -- An OpenSSH key manager

On Thu, Sep 13, 2001 at 01:27:05PM +0200, Richard Atterer wrote:
> Indeed.
> You might want to experiment with the following: Create a dedicated
> user on the machine that you log into, whose default shell is not
> /bin/sh, but a script of yours which executes rsync with the right
> options, no matter what arguments are passed to it. Also, the user
> should not be able to write to any files in his home directory.
> This way, even if the key is compromised, it will be difficult for the
> attacker to do anything but run that one command. This doesn't provide
> an awful lot of security, and a determined attacker might find a way
> to circumvent it, but it's already a lot better than a completely open
> account.

Don't even bother :)  Use command restriction.  man sshd(8), search for

Daniel Jacobowitz                           Carnegie Mellon University
MontaVista Software                         Debian GNU/Linux Developer

Reply to: