On 05/28/2015 04:02 PM, Rick Stevens wrote:
On 05/28/2015 03:38 PM, Suvayu Ali wrote:
Hi Alan,
Please do not top post (please read the mailing list guidelines at the
bottom of each message).
On Thu, May 28, 2015 at 02:14:16PM -0700, Alan Evans wrote:
On Thu, May 28, 2015 at 1:59 PM, Dustin Kempter
<dust...@consistentstate.com
wrote:
Hi all, Ive been looking into a way to run rsync from server1 to
server2
using ssh-keys
but not allowing the user from server 1 to login to server2 or to
run any
other commands
only rsync. Ive seen a few postings of how to do it, where they add a
command=“some command” line in the .ssh/authorized_keys file. But I
can’t
seem see the same result even when I copy and paste what they had. Any
advice or help would
be greatly appreciated.
google "ssh-keygen". You will find things like:
http://www.linuxproblem.org/art_9.html and similar.
I believe the OP already tried that. He mentions .ssh/authorized_keys
in the email.
Dustin, I have faced this problem too! For some reason the
command='somecommand' trick does not work. I think some magic
incantation is missing from the docs. I would also like to know the
answer to this.
It absolutely works. The trick is that the
~username/.ssh/authorized_keys file entries should look like:
command="ls -l /var" ssh-dss
AAAAB3NzaC1kc3MAAACBAJKaULZpo3CiH2Nep14S1IZ6mhc4UkSAX0oWdYNvjH9gRzrFAXNT/Ha0xSTu6ZxPdn8zfpLZiJXxy28aP4XtzwiTIaTPG0VuUUJA1R8VJKqzBi2AMXf1sG3q+5UmCsfKaE3Eb3+7kotOsThaWNvcKuMI12kB0L6e2DT4PCZDtK7rAAAAFQCfGok/B1rqLMi3Tm4IiqMWVUXh/QAAAIBxUWgS0N3ez5ohA86V/atkG3yKoi10r0kGUE6uzLEEOH8A+ftyRrMfkUm2EAKLH29u8Eaq6h7wwmtzDQsYrn8nBN6J6DimpOMmB4FnYwELVh2Dl8xcaNiQJJxeWdlUJO6imwvZskZI1LKfNhs4l40hx1vSDkoRI8BNIncXoUbz7QAAAIAv79gtfuKrlx9Ygr+t/Tj7YGP8z6wKYdA/3Of6LdIQ3N9r4p39WIkBPuOyC+UO7cO9/odo+yu+mCeJ8M0ABBcIGQdjx9LRVtin5QrETRZ7dKeUhSTnCvB1iVl0tXxH7aX5VTe0lmGawC3NXfwcsNy6ceGqHLyL9BiV9BbxQtp4KQ==
r...@prophead.alldigital.net
The above example allows root on my desktop to log into my laptop and
is an example of an ssh V2 entry using DSA encryption (yes, I know it's
not good for root, but both are behind several layers of firewalls and
I'm safe).
Note that the 'command="some command"' is the FIRST field in a given
key stanza, followed by a space, the key type, a space, the key, a
space, then the comment (typically the name of the key). If I log into
my laptop from my desktop with that entry in the laptop's
"~root/.ssh/authorized_keys" file, this happens:
[root@prophead local]# ssh golem4
total 112
drwxr-xr-x. 2 root root 4096 Aug 17 2014 account
drwxr-xr-x. 2 root root 4096 Nov 18 2014 adm
drwxr-xr-x. 25 root root 4096 Jan 9 13:53 cache
drwxr-xr-x. 2 root root 4096 Jan 12 21:59 crash
drwxr-xr-x. 3 root root 4096 Mar 10 10:13 db
drwxr-xr-x. 3 root root 4096 Jan 13 14:16 empty
drwxr-xr-x. 3 root root 4096 Aug 18 2014 ftp
drwxr-xr-x. 2 root root 4096 Nov 18 2014 games
drwx--x--x 2 gdm gdm 4096 Jul 29 2013 gdm
drwxr-xr-x. 2 root root 4096 Nov 18 2014 gopher
drwxr-xr-x. 3 root root 4096 Mar 17 09:49 kerberos
drwxr-xr-x. 80 root root 4096 May 28 03:22 lib
drwxr-xr-x. 2 root root 4096 Nov 18 2014 local
lrwxrwxrwx. 1 root root 11 May 13 2011 lock -> ../run/lock
drwxr-xr-x. 34 root root 12288 May 28 03:22 log
lrwxrwxrwx 1 root root 10 Nov 18 2014 mail -> spool/mail
drwxr-xr-x. 2 root root 4096 Nov 18 2014 nis
drwxr-xr-x. 2 root root 4096 Nov 18 2014 opt
drwxr-xr-x. 2 root root 4096 Nov 18 2014 preserve
lrwxrwxrwx. 1 root root 6 May 13 2011 run -> ../run
drwxr-xr-x. 16 root root 4096 Nov 18 2014 spool
drwxrwxrwt. 276 root root 20480 May 27 14:47 tmp
drwxr-xr-x. 6 root root 4096 Dec 17 02:07 www
drwxr-xr-x. 2 root root 4096 Nov 18 2014 yp
Connection to golem4 closed.
[root@prophead local]#
If I remove the 'command="ls -l /var"' bit and log in again:
[root@prophead local]# ssh golem4
Last login: Thu May 28 15:57:44 2015 from 192.168.1.50
[root@golem4 ~]#
Eh, voila!
I should also mention that this IS described in the
"AUTHORIZED_KEYS FILE FORMAT" section of "man sshd". Perhaps the "magic
incantation" you referred to is that the "command=" stuff goes into the
"options" field of the stanza (as do the other items in that part of
the man page, with multiple options separated by commas).
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ri...@alldigital.com -
- AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 -
- -
- NEWS FLASH! Intelligence of mankind decreasing! Details at... -
- uh, when, uh, the little hand is, uh, on the... Aw, NUTS! -
----------------------------------------------------------------------
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
