scp to directory w/o execute permissions
Roger H. Goun
roger at bcah.com
Fri Dec 13 11:34:00 EST 2002
On Thu, Dec 12, 2002 at 11:17:51AM -0500, mod+gnhlug at std.com (Michael
O'Donnell) wrote:
> In this it might actually help to RTFM for
> sshd - I just had a quick look and it appears
> that you can mess around with the entries
> in $HOME/.ssh/authorized_keys such that no
> commands other than one you specify can be
> executed. The conditions under which this will
> work may be too restrictive for your purposes,
> but it's probably worth investigating...
This may be more detail than you want, but I did this for an rsync
over ssh backup solution. An ssh key I created for this purpose is
only allowed to do one thing: run a script that validates and runs a
particular command.
In my ~/.ssh/authorized_keys I have:
command="/path/to/rsync_wrapper",no-pty,no-port-forwarding ssh-rsa AAAA...[rest of key data elided]...
The script rsync_wrapper contains:
#!/bin/sh
#
# This script checks to make sure that an incoming SSH command is a
# permitted command, and executes it if it is. If not, the script
# simply exits, which will cause a read timeout at the other end of
# the connection.
#
[ "$SSH_ORIGINAL_COMMAND" = "rsync --server -logDtprz --delete src dest" ] && exec $SSH_ORIGINAL_COMMAND
(Note that the contents of SSH_ORIGINAL_COMMAND is required to be
*exactly* what the rsync client sends to the rsync server. IIRC, you
can get this by using 'ssh -v' as the value of RSYNC_SSH and pawing
through the output.)
-- Roger
--
Roger H. Goun Brentwood Country Animal Hospital, P.C.
Chief Kennel Officer Exeter, New Hampshire, USA
More information about the gnhlug-discuss
mailing list