tighten up allowed ssh on a remote host

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi,
	I have a series of small embedded devices I want to backup over ssh to
a central server.  Most are not reachable from the server, so the
clients need to talk / initiate connections to the server.  As the
server is just meant to get backup files, I want to provide the bare min
access to the client.  On the client, I was thinking of something like
the client doing

USER=clientsite
HOST=mybackup.server.com
/usr/bin/tar -cpzf - /cfg  | ssh $USER@$HOST backup.sh


and the authorized_keys file being

from="192.168.22.254",no-port-forwarding,no-X11-forwarding,no-pty,command="./backup.sh"
ssh-rsa AAAAB3NzaC1y....

and backup.sh

#!/bin/sh
set -euf

d=`date "+%d"`
cat - >  ~clientsite/backup-$d.tgz

If the client private key got into the wrong hands, apart from
potentially deleting backupfiles from that day, is there any other "bad
things" they could do ?  Could they somehow abuse STDIN to create new
files ?

	---Mike







-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@xxxxxxxxxx
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux