From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1P3uzl-00087E-G1 for garchives@archives.gentoo.org; Thu, 07 Oct 2010 18:15:09 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id EE820E07A7; Thu, 7 Oct 2010 18:14:48 +0000 (UTC) Received: from sentinel.math.Princeton.EDU (sentinel.math.Princeton.EDU [128.112.16.31]) by pigeon.gentoo.org (Postfix) with ESMTP id CE01BE07A7 for ; Thu, 7 Oct 2010 18:14:48 +0000 (UTC) Received: from math.princeton.edu ([128.112.18.16]) by sentinel.math.Princeton.EDU with esmtp (Exim 4.69) (envelope-from ) id 1P3uzP-0004bS-OE for gentoo-user@lists.gentoo.org; Thu, 07 Oct 2010 14:14:48 -0400 Received: from math.Princeton.EDU (localhost.localdomain [127.0.0.1]) by math.Princeton.EDU (8.13.8/8.13.8) with ESMTP id o97IElQt003776 for ; Thu, 7 Oct 2010 14:14:47 -0400 Received: (from wwong@localhost) by math.Princeton.EDU (8.13.8/8.13.8/Submit) id o97IElkU003773 for gentoo-user@lists.gentoo.org; Thu, 7 Oct 2010 14:14:47 -0400 Date: Thu, 7 Oct 2010 14:14:47 -0400 From: Willie Wong To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Copying a file via ssh with no password, keeping the system safe Message-ID: <20101007181447.GA2283@math.princeton.edu> References: <20101007184549.65756vlexbx2u7sw@momessonet.ath.cx> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20101007184549.65756vlexbx2u7sw@momessonet.ath.cx> User-Agent: Mutt/1.4.2.2i X-Archives-Salt: f5352b3b-6341-43f4-b731-0c1825c10fee X-Archives-Hash: ca8e9d521c35cafe3c79fd19829194d8 On Thu, Oct 07, 2010 at 06:45:49PM +0200, Momesso Andrea wrote: > I need to set up a cron job to transfer a file every day from server A > to server B. > > I'd like to do that via ssh and with no user assistance, completely > automated. > > Setting up a public key, would do the job, but then, all the > connections between the servers would be passwordless, so if server A > gets compromised, also server B is screwed. > > Is there a way to allow only one single command from a single cronjob > to operate passwordless, while keeping all the other connections > secured by a password? In the authorized_keys file, you need to include a specification of "command=". Which means that on log-in with the public key, the sshd will execute that command, and any other commands sent from the machine which originated the connection will not execute. So I'd imagine you can untar with the command at the target, and instead of scp, use something like tar | ssh -i user@host (of course, this still opens up the possibility that a partition gets filled on your target machine by someone copying random string to it, but you'd have to live with that). (Also, note, I haven't actually tried this method of copying files myself, so while I'd imagine it'd work, you may need to play around with it for a bit. What I've done before was to have a shell script set to run, triggered by a public key login like this.) See 'man sshd' for more detail. HTH, W -- Willie W. Wong wwong@math.princeton.edu Data aequatione quotcunque fluentes quantitae involvente fluxiones invenire et vice versa ~~~ I. Newton