Comments on: setting up RSync over SSH with No Password http://www.paulmellors.net/2008/02/29/setting-up-rsync-over-ssh-with-no-password Trial and Tribulations of a Windows / Linux User Sat, 22 Nov 2008 06:07:47 +0000 http://wordpress.org/?v=2.7-beta3-9771 hourly 1 By: Neil Greenwood http://www.paulmellors.net/2008/02/29/setting-up-rsync-over-ssh-with-no-password/comment-page-1#comment-350 Neil Greenwood Tue, 11 Mar 2008 15:47:56 +0000 http://www.paulmellors.net/2008/02/29/setting-up-rsync-over-ssh-with-no-password#comment-350 Step 2 can be simplified by using the ssh-copy-id command. Step 2 can be simplified by using the ssh-copy-id command.

]]> By: Laney http://www.paulmellors.net/2008/02/29/setting-up-rsync-over-ssh-with-no-password/comment-page-1#comment-329 Laney Sat, 01 Mar 2008 19:02:44 +0000 http://www.paulmellors.net/2008/02/29/setting-up-rsync-over-ssh-with-no-password#comment-329 Of course this is terribly insecure, allowing full shell access without a password. Fortunately there is a way to mitigate this somewhat by prefixing the public key in your authorized_keys file to restrict a particular key to only running certain commands. Here's mine: command="/home/laney/.ssh/check_command",from="my.i.p",no-port-forwarding,no-X11-forwarding,no-pty Which validates the command (ssh user@host ), restricts to a single IP, and disables port forwarding and many other things. Much more secure, although obviously only as secure as those commands which you allow. check_command is here: http://orangesquash.org.uk/~laney/check_command Of course this is terribly insecure, allowing full shell access without a password. Fortunately there is a way to mitigate this somewhat by prefixing the public key in your authorized_keys file to restrict a particular key to only running certain commands. Here’s mine:

command=”/home/laney/.ssh/check_command”,from=”my.i.p”,no-port-forwarding,no-X11-forwarding,no-pty

Which validates the command (ssh user@host ), restricts to a single IP, and disables port forwarding and many other things. Much more secure, although obviously only as secure as those commands which you allow.

check_command is here: http://orangesquash.org.uk/~laney/check_command

]]>