A question about ForceCommand
tin...@isbd.co.uk
the same so I'm putting it in a different thread.
If I want only certain commands to work over an ssh connection I can
use ForceCommand. However I'm not quite clear how it actually
operates.
I can understand how the Match section is used and so on but what does
one actually put after ForceCommand. If one just puts a command name
with no parameters is the allowed user/host then able to use that
command with any parameters they specify? E.g. if I want to allow a
user only to be able to do backups using rdiff-backup (a quite likely
requirement in my case) can I just put:-
Match userName
ForceCommand rdiff-backup
at the end of the sshd_config file? ... and the user would then be
able to used rdiff-backup with whatever parameters they require?
Note that rdiff-backup works somewhat like rsync, it requires that
rdiff-backup is installed at the remote (ssh server) end as well
as at the client end.
--
Chris Green
Nico Kadel-Garcia
Do take a look at the on-line examples for SSH and rsync, such as
http://troy.jdmz.net/rsync/index.html. Typically, those use a small
utility that verifies the arguments of the rsync command "safe", and
only then allows its arguments to be passed along to the real rsync
command.
tin...@isbd.co.uk
Well that's certainly one approach to doing this but it seems to work
around the way that ssh works rather than actually using it.
I don't really need to limit what can be done with rsync (or
rdiff-backup) I just want to be sure that only that command can be
run.
--
Chris Green
Nico Kadel-Garcia
Right! Replace the word 'rsync' everywhere with 'rdiff-backups',
rename and edit the validation script for appropriate command line
arguments, and voila! You have at least a first pass at limiting SSH
enabled operations to running rdiff-backups. Since some of it is shell
script based, it's not completely secure, but it's a usable first stab
at the problem.