1 |
On 08/10/2010 0:28, Willie Wong wrote: |
2 |
|
3 |
>> You can't do that on a per-command basis. You'd be trying to control the |
4 |
>> authentication method accepted by sshd on B according to which command |
5 |
>> is run on A -- something sshd on B knows nothing about. |
6 |
>> |
7 |
> |
8 |
> That's partially false. See my response in this thread. |
9 |
|
10 |
Why? SSH can do a lot of things, but when used in the way we're |
11 |
discussing here it just sets up one or more authenticated and encrypted |
12 |
channels between two endpoints; ignoring the details, each one of these |
13 |
roughly acts as a couple of pipes, mutually connecting stdin/stdout of a |
14 |
pair of processes. |
15 |
|
16 |
When you ssh to a remote host, the remote host's sshd will run a command |
17 |
and attach the newly created process to the remote end of the |
18 |
connection; The name of the command is usually passed by the client, but |
19 |
can be overridden on the server either through the sshd configuration |
20 |
files (globally or per-client) or with a per-key 'command' option. |
21 |
|
22 |
Now, the remote sshd is never sent any information about what is |
23 |
connected to the local end of the pipe (which is not even known to |
24 |
ssh!), so there is no way to alter its behavior depending on that. |
25 |
|
26 |
IOW, nothing in the setup you and I proposed prevents the user from |
27 |
piping an arbitrary command into ssh (or even using a ssh-invoking |
28 |
wrapper such as scp or rsync) and getting successfully authenticated on |
29 |
the server. You are only guaranteed that the server will run tar in |
30 |
place of whatever remote command the client requests, so that the |
31 |
connection will break if the client side sends non-tar data. |
32 |
|
33 |
In my opinion this is quite different from "[allowing] only one single |
34 |
command from a single cronjob to operate passwordless", but then I might |
35 |
just be splitting hairs. |
36 |
|
37 |
andrea |