tighten up allowed ssh on a remote host

Mike Tancsa mike at sentex.net
Tue Aug 22 03:42:26 AEST 2017

	I have a series of small embedded devices I want to backup over ssh to
a central server.  Most are not reachable from the server, so the
clients need to talk / initiate connections to the server.  As the
server is just meant to get backup files, I want to provide the bare min
access to the client.  On the client, I was thinking of something like
the client doing

/usr/bin/tar -cpzf - /cfg  | ssh $USER@$HOST backup.sh

and the authorized_keys file being

ssh-rsa AAAAB3NzaC1y....

and backup.sh

set -euf

d=`date "+%d"`
cat - >  ~clientsite/backup-$d.tgz

If the client private key got into the wrong hands, apart from
potentially deleting backupfiles from that day, is there any other "bad
things" they could do ?  Could they somehow abuse STDIN to create new
files ?


Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

More information about the openssh-unix-dev mailing list