tighten up allowed ssh on a remote host
Mike Tancsa
mike at sentex.net
Tue Aug 22 03:42:26 AEST 2017
Hi,
I have a series of small embedded devices I want to backup over ssh to
a central server. Most are not reachable from the server, so the
clients need to talk / initiate connections to the server. As the
server is just meant to get backup files, I want to provide the bare min
access to the client. On the client, I was thinking of something like
the client doing
USER=clientsite
HOST=mybackup.server.com
/usr/bin/tar -cpzf - /cfg | ssh $USER@$HOST backup.sh
and the authorized_keys file being
from="192.168.22.254",no-port-forwarding,no-X11-forwarding,no-pty,command="./backup.sh"
ssh-rsa AAAAB3NzaC1y....
and backup.sh
#!/bin/sh
set -euf
d=`date "+%d"`
cat - > ~clientsite/backup-$d.tgz
If the client private key got into the wrong hands, apart from
potentially deleting backupfiles from that day, is there any other "bad
things" they could do ? Could they somehow abuse STDIN to create new
files ?
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the openssh-unix-dev
mailing list