[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Limiting ssh usage on remote machine.

Quoting Dom De Vitto (dom_(_at_)_DeVitto_(_dot_)_com):
> Limit the command to be a script on the local host.
> This script runs scp with the appropriate ***CLIENT MODE*** scp
> options, or even better runs the 'usual' scp client mode command
> but under a chroot (or even through sudo chroot).
> So:
> 1) you scp master:/whatever/file slave:
> 2) the authorized_keys file specified a specific command, so the usual
>    scp 'client mode' command on the slave is ignored.
> 3) the specific command is a script you write that does:
> 	sudo chroot -u /whoever /whatever/tmpdir/scp ...
> 4) if <target file looks right> copy to dest location, restart named,
>    etc. etc. 

And rdist does do the "move files to other end then
run commands on it".

If the command that rdistd runs is "make" then you have a lot
of flexibility in a standard tool - it can do local RCS checkins,
run a sanity check script (hey, it WAS 15000 lines, now it's 5.  Abort!)
and can run "sudo -u otheruser install -m 644 SOURCE DEST/" rules.

I'd use sup or cvs and "pull" but the situation is such
that I can't make new connections from the DMZ to the inside
(quite understandable).