[clug] Automating SSH scripts with passphrase'd keys

steve jenkin sjenkin at canb.auug.org.au
Mon Mar 24 09:04:54 GMT 2008

Michael Cohen wrote on 24/3/08 6:52 PM:

You can use 'rsync' with SSH as the transport. It's a pity that there
isn't an SSH sub-system like 'scp' for 'tar'.

A single  user can have many set of ssh keys, the .ssh/config file on
the originating system can have many aliases for access as one or more
users to a (backup) server.

In the home directory for the user on the backup server, in
~/.ssh/authorised_keys, you can have a specific command (rsync or tar or
scp) associated with a key - no matter what the originator asks ssh to
run, only the specified command is run on the server.

I've seen this used extensively at one site - but I didn't like it :-(
Too many keys to maintain, and lots of complexity in the config files.

If you trust scripts (shell, perl, python) to be a wrapper, you can
implement your own sub-system - but it's nasty for my tastes.

good luck - like to hear what you decide to implement.

> Li-Jie,
>   Creating a special user on the server end is the best way to go -
> something along this for a forced command might be best: dd
> of=`date`.tar.gz
> and then on the desktop you would do a cron job which does:
> tar cz /home/ | ssh backup at server whatever
> for example. The "whatever" is any command it doesnt matter as it will
> be ignored anyway (the server will always run the forced command) but
> is needed to make ssh not try to bind a pty (i.e. so it knows its not
> an interactive shell).
> If someone was to compromise the desktop they could send the server
> tar files securely thats about it because they can not issue any other
> command on the server than the dd command. If you want to get more
> sophisticated you can write perl/python scripts to do anything based
> on lots of parameters obtained via the environment of the forced
> command like source ip, and even the command that the desktop wants to
> run (the "whatever" above). This btw is how scponly is implemented to
> allow scp services only to certain hosts, from ips, only upload no
> download and lots of other policies.
> Michael.

Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA

sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin

More information about the linux mailing list