From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1IWDtt-0000Gx-Nr for garchives@archives.gentoo.org; Fri, 14 Sep 2007 16:20:14 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l8EGAs3c012667; Fri, 14 Sep 2007 16:10:54 GMT Received: from mail.randombit.net (lain.randombit.net [66.179.181.40]) by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l8EGArVA012658 for ; Fri, 14 Sep 2007 16:10:53 GMT Received: by mail.randombit.net (Postfix, from userid 501) id 632B93B60E5; Fri, 14 Sep 2007 12:10:54 -0400 (EDT) Date: Fri, 14 Sep 2007 12:10:54 -0400 From: Jack Lloyd To: gentoo-amd64@lists.gentoo.org Subject: Re: [gentoo-amd64] Local network backup Message-ID: <20070914161054.GQ8293@randombit.net> Mail-Followup-To: gentoo-amd64@lists.gentoo.org References: <200709141022.26291.prh@gotadsl.co.uk> <200709141226.26818.hamish@travellingkiwi.com> <200709141242.57608.prh@gotadsl.co.uk> <647a40580709140634x6b60f95bw1e839416736fa333@mail.gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-amd64@gentoo.org Reply-to: gentoo-amd64@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <647a40580709140634x6b60f95bw1e839416736fa333@mail.gmail.com> X-PGP-Fingerprint: 3F69 2E64 6D92 3BBE E7AE 9258 5C0F 96E8 4EC1 6D6B X-PGP-Key: http://www.randombit.net/pgpkey.html User-Agent: Mutt/1.5.11 X-Archives-Salt: 40f91a00-f29d-4c9c-8cb1-13b534e6682e X-Archives-Hash: e390713a1f6e8554afbad097039a5dfd On Fri, Sep 14, 2007 at 03:34:06PM +0200, Jordi Molina wrote: > It's not a big security risk, just ensure that the access of the user > in the fw machine has restrictive access over its home and that it > can't su/sudo to root. You can use something like scponly, to keep anyone who steals the key =66rom getting shell access to your firewall: http://sublimation.org/scponly/wiki/index.php/Main_Page You could also limit where logins come from via AllowUsers in your sshd config. I had thought OpenSSH had some facility built in for limiting what particular users could do (so you could create an account that can only be used for sftp transfers, and sshd would not allow that user to get a tty or shell), but I can't seem to find anything about that in the man page, so I may just be imagining this feature. -Jack -- gentoo-amd64@gentoo.org mailing list