| 1 |
On 08/10/2010 0:28, Willie Wong wrote: |
| 2 |
|
| 3 |
>> You can't do that on a per-command basis. You'd be trying to control the |
| 4 |
>> authentication method accepted by sshd on B according to which command |
| 5 |
>> is run on A -- something sshd on B knows nothing about. |
| 6 |
>> |
| 7 |
> |
| 8 |
> That's partially false. See my response in this thread. |
| 9 |
|
| 10 |
Why? SSH can do a lot of things, but when used in the way we're |
| 11 |
discussing here it just sets up one or more authenticated and encrypted |
| 12 |
channels between two endpoints; ignoring the details, each one of these |
| 13 |
roughly acts as a couple of pipes, mutually connecting stdin/stdout of a |
| 14 |
pair of processes. |
| 15 |
|
| 16 |
When you ssh to a remote host, the remote host's sshd will run a command |
| 17 |
and attach the newly created process to the remote end of the |
| 18 |
connection; The name of the command is usually passed by the client, but |
| 19 |
can be overridden on the server either through the sshd configuration |
| 20 |
files (globally or per-client) or with a per-key 'command' option. |
| 21 |
|
| 22 |
Now, the remote sshd is never sent any information about what is |
| 23 |
connected to the local end of the pipe (which is not even known to |
| 24 |
ssh!), so there is no way to alter its behavior depending on that. |
| 25 |
|
| 26 |
IOW, nothing in the setup you and I proposed prevents the user from |
| 27 |
piping an arbitrary command into ssh (or even using a ssh-invoking |
| 28 |
wrapper such as scp or rsync) and getting successfully authenticated on |
| 29 |
the server. You are only guaranteed that the server will run tar in |
| 30 |
place of whatever remote command the client requests, so that the |
| 31 |
connection will break if the client side sends non-tar data. |
| 32 |
|
| 33 |
In my opinion this is quite different from "[allowing] only one single |
| 34 |
command from a single cronjob to operate passwordless", but then I might |
| 35 |
just be splitting hairs. |
| 36 |
|
| 37 |
andrea |
Archives