Alex Mestiashvili <a...@biotec.tu-dresden.de> wrote: > I would simply use a passwordless ssh-key with a wrapper on the remote > side which allows to run only the backup command .
I'd agree with this, but use passwordless public/private keys with a restricted target command. See man sshd and the AUTHORIZED_KEYS FILE FORMAT section for some details. An example would be something like this in the target machine's .ssh/authorized_keys file: command="backup-service",no-pty,no-port-forwarding ssh-rsa BLAHBLAHBLAH... The "backup-service" script can look at the SSH_ORIGINAL_COMMAND variable to sanity-check it before execution. So, if your client-side backup script really wants to use rsync, it can do so (and SSH_ORIGINAL_COMMAND would contain the entire command line ready for the server to execute once it was happy it was "safe" to do so). Chris -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/em2o09x547....@news.roaima.co.uk