From: Willie Wong <wwong@Math.Princeton.EDU>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Copying a file via ssh with no password, keeping the system safe
Date: Thu, 7 Oct 2010 14:14:47 -0400 [thread overview]
Message-ID: <20101007181447.GA2283@math.princeton.edu> (raw)
In-Reply-To: <20101007184549.65756vlexbx2u7sw@momessonet.ath.cx>
On Thu, Oct 07, 2010 at 06:45:49PM +0200, Momesso Andrea wrote:
> I need to set up a cron job to transfer a file every day from server A
> to server B.
>
> I'd like to do that via ssh and with no user assistance, completely
> automated.
>
> Setting up a public key, would do the job, but then, all the
> connections between the servers would be passwordless, so if server A
> gets compromised, also server B is screwed.
>
> Is there a way to allow only one single command from a single cronjob
> to operate passwordless, while keeping all the other connections
> secured by a password?
In the authorized_keys file, you need to include a specification of
"command=<insert command here>". Which means that on log-in with the
public key, the sshd will execute that command, and any other commands
sent from the machine which originated the connection will not
execute.
So I'd imagine you can untar with the command at the target, and
instead of scp, use something like
tar <file> | ssh -i <identity file> user@host
(of course, this still opens up the possibility that a partition gets
filled on your target machine by someone copying random string to it,
but you'd have to live with that).
(Also, note, I haven't actually tried this method of copying files
myself, so while I'd imagine it'd work, you may need to play around
with it for a bit. What I've done before was to have a shell script
set to run, triggered by a public key login like this.)
See 'man sshd' for more detail.
HTH,
W
--
Willie W. Wong wwong@math.princeton.edu
Data aequatione quotcunque fluentes quantitae involvente fluxiones invenire
et vice versa ~~~ I. Newton
next prev parent reply other threads:[~2010-10-07 18:15 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-07 16:45 [gentoo-user] Copying a file via ssh with no password, keeping the system safe Momesso Andrea
2010-10-07 17:36 ` Stroller
2010-10-07 18:14 ` Willie Wong [this message]
2010-10-07 18:26 ` Willie Wong
2010-10-07 18:40 ` Andrea Conti
2010-10-07 21:59 ` Momesso Andrea
2010-10-07 22:21 ` covici
2010-10-07 22:38 ` BRM
2010-10-08 8:53 ` Neil Bothwick
2010-10-07 22:28 ` Willie Wong
2010-10-08 8:05 ` Andrea Conti
2010-10-08 10:18 ` Willie Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101007181447.GA2283@math.princeton.edu \
--to=wwong@math.princeton.edu \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox