| 1 |
On Thu, Oct 07, 2010 at 06:45:49PM +0200, Momesso Andrea wrote: |
| 2 |
> I need to set up a cron job to transfer a file every day from server A |
| 3 |
> to server B. |
| 4 |
> |
| 5 |
> I'd like to do that via ssh and with no user assistance, completely |
| 6 |
> automated. |
| 7 |
> |
| 8 |
> Setting up a public key, would do the job, but then, all the |
| 9 |
> connections between the servers would be passwordless, so if server A |
| 10 |
> gets compromised, also server B is screwed. |
| 11 |
> |
| 12 |
> Is there a way to allow only one single command from a single cronjob |
| 13 |
> to operate passwordless, while keeping all the other connections |
| 14 |
> secured by a password? |
| 15 |
|
| 16 |
In the authorized_keys file, you need to include a specification of |
| 17 |
"command=<insert command here>". Which means that on log-in with the |
| 18 |
public key, the sshd will execute that command, and any other commands |
| 19 |
sent from the machine which originated the connection will not |
| 20 |
execute. |
| 21 |
|
| 22 |
So I'd imagine you can untar with the command at the target, and |
| 23 |
instead of scp, use something like |
| 24 |
|
| 25 |
tar <file> | ssh -i <identity file> user@host |
| 26 |
|
| 27 |
(of course, this still opens up the possibility that a partition gets |
| 28 |
filled on your target machine by someone copying random string to it, |
| 29 |
but you'd have to live with that). |
| 30 |
|
| 31 |
(Also, note, I haven't actually tried this method of copying files |
| 32 |
myself, so while I'd imagine it'd work, you may need to play around |
| 33 |
with it for a bit. What I've done before was to have a shell script |
| 34 |
set to run, triggered by a public key login like this.) |
| 35 |
|
| 36 |
See 'man sshd' for more detail. |
| 37 |
|
| 38 |
HTH, |
| 39 |
|
| 40 |
W |
| 41 |
|
| 42 |
-- |
| 43 |
Willie W. Wong wwong@××××××××××××××.edu |
| 44 |
Data aequatione quotcunque fluentes quantitae involvente fluxiones invenire |
| 45 |
et vice versa ~~~ I. Newton |
Archives