[Wylug-help] rsync over ssh with cron

Jim Jackson jj at franjam.org.uk
Thu Mar 30 22:36:22 BST 2006




On Thu, 30 Mar 2006, Chris Davies wrote:

> > It seems that if I want to do this automatically I have to use ssh without
> > passphrase, but that it is possible to exclude the use of the key from any
> > other host.
>
> I'm not sure this is possible (but obviously others will no doubt
> contradict me). You can create a private/public key pair with
> "ssh-keygen -t rsa", and one of the options to ssh-keygen allows you to
> specify a new pair of files for the new key pair.
>
> The ssh -i option will then let you use that new private key identity
> file (remembering that you must have put the corresponding public key on
> the remote server, first). You can use the Host and IdentityFile options
> in your local ssh_config file to preset the identity file for the
> appropriate host.
>
> What I can't see is how to stop this public/private key pair being used
> for your account on other hosts - but I guess if someone else can access
> your own private key then the whole security thing becomes moot anyway.

On the host, in the ~/.ssh/authorized_keys file you can specify options
that restrict what can be done with the this key. The options are
documented in man sshd, in the section "AUTHORIZED_KEYS FILE FORMAT".

Check out the "from=..." and "command=..." options. So you can have a
a private/public key pair that ONLY authorise e.g. one command, when
called from a restricted list of hosts.

Jim



More information about the Wylug-help mailing list