[Techtalk] Securely transferring files using scripts
Malcolm Tredinnick
malcolm at commsecure.com.au
Sun Jul 21 11:37:05 EST 2002
On Sat, Jul 20, 2002 at 10:00:25AM -0700, jennyw wrote:
> Thanks, Hamster! But if I do that, and if the box with the script gets
> compromised, won't that give an intruder full access to the second box,
> too?
You can set up passphrase-less ssh keys in such a way that only a
particular command can be run on the remote machine. This is done by
editing the line in $HOME:/.ssh/authorized_keys2 on the remote box. Have
a look at the section called "AUTHORIZED_KEYS FILE FORMAT" in the
sshd(8) manual page.
Secondly, these sort of operations are usually done by having the user
who runs the scripts on both boxes being able to do almost nothing else.
As Jenn V suggested elsewhere, having a user with a login shell of
/bin/false is common (see, for example, the typical 'operator' user
which is the one who does tape backups in a lot of systems). Root can su
to operator, but operator cannot su to anybody else, so it's reasonably
secure.
Malcolm
More information about the Techtalk
mailing list