On 05/28/2015 04:40 PM, Suvayu Ali wrote:
On Thu, May 28, 2015 at 04:02:19PM -0700, Rick Stevens wrote:
On 05/28/2015 03:38 PM, Suvayu Ali wrote:
Hi Alan,
Please do not top post (please read the mailing list guidelines at the
bottom of each message).
On Thu, May 28, 2015 at 02:14:16PM -0700, Alan Evans wrote:
On Thu, May 28, 2015 at 1:59 PM, Dustin Kempter <dustink@xxxxxxxxxxxxxxxxxxx
wrote:
Hi all, Ive been looking into a way to run rsync from server1 to server2
using ssh-keys
but not allowing the user from server 1 to login to server2 or to run any
other commands
only rsync. Ive seen a few postings of how to do it, where they add a
command=“some command” line in the .ssh/authorized_keys file. But I can’t
seem see the same result even when I copy and paste what they had. Any
advice or help would
be greatly appreciated.
google "ssh-keygen". You will find things like:
http://www.linuxproblem.org/art_9.html and similar.
I believe the OP already tried that. He mentions .ssh/authorized_keys
in the email.
Dustin, I have faced this problem too! For some reason the
command='somecommand' trick does not work. I think some magic
incantation is missing from the docs. I would also like to know the
answer to this.
It absolutely works. The trick is that the ~username/.ssh/authorized_keys
file entries should look like:
command="ls -l /var" ssh-dss AAAAB3NzaC1kc3MAAACBAJKaULZpo3CiH2Nep14S1IZ6mhc4UkSAX0oWdYNvjH9gRzrFAXNT/Ha0xSTu6ZxPdn8zfpLZiJXxy28aP4XtzwiTIaTPG0VuUUJA1R8VJKqzBi2AMXf1sG3q+5UmCsfKaE3Eb3+7kotOsThaWNvcKuMI12kB0L6e2DT4PCZDtK7rAAAAFQCfGok/B1rqLMi3Tm4IiqMWVUXh/QAAAIBxUWgS0N3ez5ohA86V/atkG3yKoi10r0kGUE6uzLEEOH8A+ftyRrMfkUm2EAKLH29u8Eaq6h7wwmtzDQsYrn8nBN6J6DimpOMmB4FnYwELVh2Dl8xcaNiQJJxeWdlUJO6imwvZskZI1LKfNhs4l40hx1vSDkoRI8BNIncXoUbz7QAAAIAv79gtfuKrlx9Ygr+t/Tj7YGP8z6wKYdA/3Of6LdIQ3N9r4p39WIkBPuOyC+UO7cO9/odo+yu+mCeJ8M0ABBcIGQdjx9LRVtin5QrETRZ7dKeUhSTnCvB1iVl0tXxH7aX5VTe0lmGawC3NXfwcsNy6ceGqHLyL9BiV9BbxQtp4KQ==
root@xxxxxxxxxxxxxxxxxxxxxxx
I think the magic incantation for me was command="somecommand" is
actually the whole command, with all the arguments. From the man page,
this wasn't clear to me. I was trying to setup passwordless root login
with PermitRootLogin set to forced-commands-only for backups with
rsnapshot.
Ah, yes, you have to put in the whole command and arguments. If you need
spaces to separate arguments, then everything after the '=' has to be
enclosed in quotes:
command="somecommand -arg1 -arg2 -arg3"
etc. You can put in multiple options, too:
command="somecommand -arg1 -arg2 -arg3",from="*.mydomain.com"
to restrict the user so they'd have to log in from hosts in the
"mydomain.com" DNS domain and the only thing that'd happen if they
did was have "somecommand" run automatically. They'd be disconnected
immediately after "somecommand" completed.
Btw, to allow multiple commands from the same host, I guess I should
have multiple lines for the same public key? Also, any ideas what
should be the command to allow rsnapshot backups? I guess I need to
figure out what are the arguments passed onto rsync by rsnapshot, and in
which order.
AFAIK, you can only have one "command=" per line (or stanza) in the
authorized_keys file for each user. Otherwise, how would the client
specify which to run?
You might be able to do some fancy footwork using "Match" clauses in
the /etc/ssh/sshd_config file, but I've never done anything more than
simple matches (match on username or address patterns to put in some
additional restrictions).
Thanks a lot Rick!
You're welcome.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ricks@xxxxxxxxxxxxxx -
- AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 -
- -
- Any sufficiently advanced technology is indistinguishable from a -
- rigged demo. -
----------------------------------------------------------------------
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
