command= and arbitrary keys...
Cameron Simpson
cs at zip.com.au
Sun Dec 2 09:49:52 EST 2001
On Sat, Dec 01, 2001 at 12:32:22AM -0500, Dave Wreski <dave at nic.com> wrote:
| I have an authorized_keys file with about twenty keys, most of which are
| prefaced with command="/usr/bin/rsync ...". If I put my host key at the
| top of the authorized_keys file, I can connect without a problem. If it
| gets put near the bottom, ssh seems to pick an arbitrary key, accepts my
| passphrase, and starts to run one of the rsync commands.
If it's what I suspect, answer these questions:
Are all the keys different? (You have to say "yes" here.)
Are you using an ssh-agent at the calling end? ("You want "no" here,
and a "-i keyfile" in the ssh call.)
This is, to my mind, a great failing in ssh: if you have an agent then
the -i option is as good as ignored - any keys in the agent will still
be considered for use in the connection. To this end I have a script
called nphssh here:
http://www.zip.com.au/~cs/css/index.html#s-ssh
that I use for this kind of thing. You need to get no-ssh-agent as well
from the same page.
Basically you want to run the ssh for the specific key _with a -i and
_without_ an ssh-agent in its environment, thus these wrappers.
Cheers,
--
Cameron Simpson, DoD#743 cs at zip.com.au http://www.zip.com.au/~cs/
If you lie to the compiler, it will get its revenge. - Henry Spencer
More information about the rsync
mailing list