1 |
On 7 Oct 2010, at 17:45, Momesso Andrea wrote: |
2 |
> I need to set up a cron job to transfer a file every day from server A to server B. |
3 |
> |
4 |
> I'd like to do that via ssh and with no user assistance, completely automated. |
5 |
> |
6 |
> Setting up a public key, would do the job, but then, all the connections between the servers would be passwordless, so if server A gets compromised, also server B is screwed. |
7 |
> |
8 |
> Is there a way to allow only one single command from a single cronjob to operate passwordless, while keeping all the other connections secured by a password? |
9 |
|
10 |
You could create a user on server B called backup, a user with very limited permissions and no shell (/bin/false). Thus server A can transfer files to serverb:~backup but if the key is compromised then little else can be done. |
11 |
|
12 |
Not sure if the user could somehow be run in a chrooted ssh, for better security? I'm not sure what files a new user "backup" would have read-access to by default? If the key is obtained from server A then the attacker could copy files from server B (back to wherever they like), and it might be possible to obtain information about what services are run on that system or otherwise learn vulnerabilities from what could be read. |
13 |
|
14 |
Stroller. |