Plus the scripts that 1) when calling ssh dsync first writes the username to stdout (before dsync starts communicating)
and 2) dsync.sh on remote first reads the username from stdin, before execing dsync itself Because it's not possible to give -u $username parameter in the authorized_keys cmd itself. That's the only changing parameter that is needed. On 15.3.2012, at 23.49, David Ford wrote: > in ~privilgeduser/.ssh/authorized keys: > > from=<list of hosts key is valid for> cmd=dsync.sh pubkey... > > On 03/15/2012 05:05 PM, Timo Sirainen wrote: >> Then again it's safer to use system user accounts than a single vmail >> account that has access to everyone's emails. And if you allow ssh login >> only with public key authentication I don't think there are much security >> issues. And finally, it would be possible to write a small wrapper that >> allows the root's public key auth to only execute dsync-user.sh script that >> can't do anything except sync a specified user's mails. >
