Re: Piping and scripts with scp
From: Karsten W. Rohrbach (karsten@rohrbach.de)
Date: 07/19/01
- Next message: Karsten W. Rohrbach: "Re: named & zone transfers"
- Previous message: Karsten W. Rohrbach: "Re: blocking I.P. addresses/ranges"
- In reply to: Brett Glass: "Piping and scripts with scp"
- Next in thread: Shevland, Joseph (AU - Hobart): "RE: Piping and scripts with scp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 19 Jul 2001 16:41:33 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: Brett Glass <brett@lariat.org>
generate ssh keys with ssh-keygen(1) and limit the remote command to
something that makes sense.
generate one key pair for every command you want to run and name the key
files appropriately to reference the in you ssh(1) invocation.
a command restricted pubkey looks like this (example for self-contained
scp to a defined subdirectory):
command="scp -t /path/to/data",from="1.2.3.4" <keydata comes here...>
this pubkey will be placed in the corresponding
$HOME/.ssh/authorized_keys file on the target host.
if you invoke scp with the corresponding key, scp's remote invocation is
limited to the target directory /path/to/data and to the source host ip
1.2.3.4.
have fun
/k
Brett Glass(brett@lariat.org)@2001.07.18 13:59:54 +0000:
> I need to create a script that deposits the output of a program in a file on a
> remote host. I'd like to do this over an encrypted connection, so I'd like to
> use scp for this purpose. The script will need to execute via cron and run
> unattended, and I'm limited to the SSH-1 protocol for the moment (though I
> intend to move to SSH-2 when all the hosts can handle it).
>
> Trouble is, I cannot seem to find options for scp that will allow me
> to (a) pipe data into it for placement in the remote file; or
> (b) supply a password -- kept only in the script, which cannot be
> read except by root -- in advance rather than manually at the console.
> (Yes, I could generate and use RSA keys, but since anyone who could
> view the script will have broken root, he or she could also get at
> the private key anyway... so there's no additional security in this.)
> Help from someone experienced with scp and ssh would be appreciated.
>
> --Brett Glass
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
-- > Microsoft isn't the answer. Microsoft is the question, and the answer is no. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 Please do not remove my address from To: and Cc: fields in mailing lists. 10x
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- application/pgp-signature attachment: stored
- Next message: Karsten W. Rohrbach: "Re: named & zone transfers"
- Previous message: Karsten W. Rohrbach: "Re: blocking I.P. addresses/ranges"
- In reply to: Brett Glass: "Piping and scripts with scp"
- Next in thread: Shevland, Joseph (AU - Hobart): "RE: Piping and scripts with scp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
