[oclug] Rsync and SSH
King, Brian
brian.king at xwave.com
Mon Mar 4 15:51:38 EST 2002
You can restrict what a particular key can be used for by prepending a few
keywords to the line containing the key.
e.g.
command="ls",no-pty,no-port-forwarding ssh-dss public_key_here==
comment_here
will mean that this particular public key can only be used to get a
directory listing. It won't give you a login terminal, and you can't use it
to set up port forwarding. These options are documented in the sshd man page
under the heading "AUTHORIZED_KEYS FILE FORMAT". Additional options are:
from
command
environment
no-port-forwarding
no-X11-forwarding
no-agent-forwarding
no-pty
permitopen
Brian
-----Original Message-----
From: Bart Trojanowski [mailto:bart-oclug at jukie.net]
Sent: Saturday, March 02, 2002 17:27
To: oclug at lists.oclug.on.ca
Cc: David F. Skoll
Subject: Re: [oclug] Rsync and SSH
* Ross Jordan <rjordan at student.math.uwaterloo.ca> [020302 15:04]:
> The trick is to not set a password during key generation.
> ssh-keygen (press enter when prompted for a password).
> Remember that your accounts are only as secure as the keys,
> and so these non password protected keys must be protected
> very carefully.
You can also restrict what the client with the private key can execute
on a machine that trusts the public key (ie it's in authorized_keys
file). This is done somehow in the authorized_keys file. David F. Skoll
had talked about this at one point but I had never had a need for it.
David, what was the way in which one restricts what a key owner can
execute on a machine using authorized_keys file?
B.
--
WebSig: http://www.jukie.net/~bart/sig/
----------------------------------------------------------------------------
This communication (including all attachments) is intended solely for the
use of the person or persons to whom it is addressed and should be treated
as a confidential xwave communication. If you are not the intended
recipient, any use, distribution, printing, or copying of this email is
strictly prohibited. If you received this email in error, please
immediately delete it from your system and notify the originator. Your
cooperation is appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tux.oclug.on.ca/pipermail/oclug/attachments/20020304/a2d93790/attachment.htm
More information about the OCLUG
mailing list