From owner-freebsd-security Thu Jul 19 7:29:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 2ED7F37B401 for ; Thu, 19 Jul 2001 07:29:19 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 40771 invoked by uid 1000); 19 Jul 2001 14:41:33 -0000 Date: Thu, 19 Jul 2001 16:41:33 +0200 From: "Karsten W. Rohrbach" To: Brett Glass Cc: security@freebsd.org Subject: Re: Piping and scripts with scp Message-ID: <20010719164133.E39506@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Brett Glass , security@freebsd.org References: <200107181959.NAA06459@lariat.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="5xSkJheCpeK0RUEJ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200107181959.NAA06459@lariat.org>; from brett@lariat.org on Wed, Jul 18, 2001 at 01:59:54PM -0600 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --5xSkJheCpeK0RUEJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable generate ssh keys with ssh-keygen(1) and limit the remote command to something that makes sense. generate one key pair for every command you want to run and name the key files appropriately to reference the in you ssh(1) invocation. a command restricted pubkey looks like this (example for self-contained scp to a defined subdirectory): command=3D"scp -t /path/to/data",from=3D"1.2.3.4" this pubkey will be placed in the corresponding $HOME/.ssh/authorized_keys file on the target host. if you invoke scp with the corresponding key, scp's remote invocation is limited to the target directory /path/to/data and to the source host ip 1.2.3.4. have fun /k Brett Glass(brett@lariat.org)@2001.07.18 13:59:54 +0000: > I need to create a script that deposits the output of a program in a file= on a > remote host. I'd like to do this over an encrypted connection, so I'd lik= e to > use scp for this purpose. The script will need to execute via cron and r= un > unattended, and I'm limited to the SSH-1 protocol for the moment (though I > intend to move to SSH-2 when all the hosts can handle it). >=20 > Trouble is, I cannot seem to find options for scp that will allow me > to (a) pipe data into it for placement in the remote file; or > (b) supply a password -- kept only in the script, which cannot be > read except by root -- in advance rather than manually at the console. > (Yes, I could generate and use RSA keys, but since anyone who could > view the script will have broken root, he or she could also get at > the private key anyway... so there's no additional security in this.) > Help from someone experienced with scp and ssh would be appreciated. >=20 > --Brett Glass >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 > Microsoft isn't the answer. Microsoft is the question, and the answer is = no. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --5xSkJheCpeK0RUEJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7VvGcM0BPTilkv0YRAjTBAJ9EhUtkWdTr86N9ji7IG/OQYlsIzACdGrS5 cxaLBKsvQ+s5Tbk9uHppNIQ= =zL/e -----END PGP SIGNATURE----- --5xSkJheCpeK0RUEJ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message