[NBLUG/talk] * password in /etc/shadow

Eric Eisenhart eric at nblug.org
Wed Jul 26 09:24:37 PDT 2006


On Wed, Jul 26, 2006 at 12:27:25AM -0700, Walter Hansen wrote:
> That's exactly what I want. The user is for backup purposes only. I'm 
> using rsync to download backup files to a local server (from a couple of 
> your servers actually). Passwordless login gives me the creeps unless 
> it's nessicary for scripting or another reason.

Ah, then you might want to know about something else...

In ~/.ssh/authorized_keys, you can put some stuff at the beginning of a line
(before the stuff that would normally be there) to further lock things down.

Here's an example:
command="/usr/bin/rsync --server --sender -vlHogDtprS --partial . /some/dir/",from="127.0.0.1",no-pty,no-X11-forwarding,no-agent-forwarding,no-port-forwarding ssh-dss AAAA.... foo at example.com

(pretend there's a lot more after the AAAA bit)

This locks down that key to only running that command (do the rsync you want
and look at what command it runs on the server, but use the full path to
rsync), only coming from localhost (change IP to the one you actually want
it to come from), and also restricts it from allocating a terminal,
forwarding X, forwarding an ssh-agent connection or forwarding any ports. 
In other words, it can do only *one* single thing, making it much harder for
somebody who breaks into the system you're running the rsync/ssh on to break
into the system it's ssh'ing into.

-- 
Eric Eisenhart
NBLUG Co-Founder, Scribe and InstallFest Coordinator
The North Bay Linux Users Group -- http://nblug.org/
eric at nblug.org, IRC: Freiheit at fn AIM: falschfreiheit



More information about the talk mailing list