[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Limiting ssh usage on remote machine.
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: Limiting ssh usage on remote machine.
- From: Chuck Yerkes <chuck+obsd_(_at_)_2003_(_dot_)_snew_(_dot_)_com>
- Date: Wed, 10 Dec 2003 18:53:12 -0500
Quoting Dom De Vitto (dom_(_at_)_DeVitto_(_dot_)_com):
> Limit the command to be a script on the local host.
> This script runs scp with the appropriate ***CLIENT MODE*** scp
> options, or even better runs the 'usual' scp client mode command
> but under a chroot (or even through sudo chroot).
> 1) you scp master:/whatever/file slave:
> 2) the authorized_keys file specified a specific command, so the usual
> scp 'client mode' command on the slave is ignored.
> 3) the specific command is a script you write that does:
> sudo chroot -u /whoever /whatever/tmpdir/scp ...
> 4) if <target file looks right> copy to dest location, restart named,
> etc. etc.
And rdist does do the "move files to other end then
run commands on it".
If the command that rdistd runs is "make" then you have a lot
of flexibility in a standard tool - it can do local RCS checkins,
run a sanity check script (hey, it WAS 15000 lines, now it's 5. Abort!)
and can run "sudo -u otheruser install -m 644 SOURCE DEST/" rules.
I'd use sup or cvs and "pull" but the situation is such
that I can't make new connections from the DMZ to the inside