Bug#112020: ITP: keychain -- An OpenSSH key manager
On Thu, Sep 13, 2001 at 01:27:05PM +0200, Richard Atterer wrote:
> Indeed.
>
> You might want to experiment with the following: Create a dedicated
> user on the machine that you log into, whose default shell is not
> /bin/sh, but a script of yours which executes rsync with the right
> options, no matter what arguments are passed to it. Also, the user
> should not be able to write to any files in his home directory.
>
> This way, even if the key is compromised, it will be difficult for the
> attacker to do anything but run that one command. This doesn't provide
> an awful lot of security, and a determined attacker might find a way
> to circumvent it, but it's already a lot better than a completely open
> account.
Don't even bother :) Use command restriction. man sshd(8), search for
command=.
--
Daniel Jacobowitz Carnegie Mellon University
MontaVista Software Debian GNU/Linux Developer
Reply to: