similar to: rsync over ssh, multiple private keys sharing same UID, chroot

On Wed, Jan 21, 2015 at 17:29:00 +0000, Alex Bligh wrote: > > On 21 Jan 2015, at 15:36, Jason Vas Dias <jason.vas.dias at gmail.com> wrote: > > > Please can OpenSSH provide some way of specifying which shell to use to > > execute commands on a host. > > Using dash as an example of another shell: > > ssh 127.0.0.1 -t dash > > and > >

Hi, I am using rsync to keep two directores on two servers in sync. Machine A, the "client" is the one where the rsync process is invoked, which then logs into Machine B, the "server" as root with ssh and a key. The key is restricted in /root/.ssh/authorized_keys to a script that checks wither $SSH_ORIGINAL_COMMAND matches the rsync --server command that I expect, such as, for

When rsync is used in remote-shell server mode, the documentation says: "Rsync supports connecting to a host using a remote shell and then spawning a single-use "daemon" server that expects to read its config file in the home dir of the remote user." I have been trying to make rsync read a config file (which I presume should be named rsyncd.conf) in the home directory of the

Hi, I'm trying to use rsync through ssh to pull files from PCs that need to be backup up. I set up the passwordless authentication and things work fine there. However there's a problem when I try to seal off the SSH access to restrict it to limited rsync only using the "command=" in authorized_keys. That by itself works, however not in combination with spaces in the file names.

Attached is a patch which adds a log= directive to authorized_keys. The text in the log="text" directive is appended to the log line, so you can easily tell which key is matched. For instance the line: log="hello world!",no-agent-forwarding,command="/bin/true",no-pty, no-user-rc,no-X11-forwarding,permitopen="127.0.0.1:7" ssh-rsa AAAAB3Nza....xcgaK9xXoU=

As per Alex's suggestion, attached is the proof of concept "sfile" script. If there is anyone out there with great C skills who can recreate this functionality "out of the box", I think there would be a few happy campers (at least two, anyways). -------- Forwarded Message -------- Subject: Re: Encrypt /decrypta file with ssh keys. Date: Fri, 5 Aug 2016 17:24:35

On 12/03/2014 01:37:58 PM, Kevin Korb wrote: > As far as a backup provider goes I wouldn't expect them to use rsync > over SSL unless that were built into rsync in the future (and has > been > around long enough that most users would have it). > > I would expect them to either use rsync over ssh secured by rrsync or > rsyncd over ssh with them managing the rsyncd.conf

from a security perspective this is bad. think of a backup provider who wants to make rsyncd modules available to the end users so they can push backups to the server. do you think that such server is secure if all users are allowed to open up an ssh shell to secure their rsync transfer ? ok, you can restrict the ssh connection, but you open up a hole and you need to think twice to make it secure

> The benefit of rsync over ssh secured by rrsync is that it is more > like what rsync users are already used to. i don`t like rsync over ssh in an environemt with users you can?t trust. from a security perspective, i think such setup is broken by design. it`s a little bit like giving a foreigner the key to your front door and then hope that the door in the corridor to your room will be

I have a situation where a number of potentially hostile clients ssh to a host I control, each ssh'ing in as the same user, and each forwarding a remote port back to them. So, the authorized_keys file looks like: no-agent-forwarding,command="/bin/true",no-pty,no-user-rc,no-X11-forwarding,permitopen="127.0.0.1:7" ssh-rsa AAAAB....vnRWxcgaK9xXoU= client1234 at example.com

Hello List, I'am using the ForceCommand in my sshd configuration to log all the user actions on my device. ForceCommand /usr/bin/log-session.sh The Log Session Script itself is working fine for logging. But now I want also use SCP to copy files and this won't work together with the ForceCommand above. The copied file is created but its zero byte on the target. scp file.tar.gz

> On 5 Aug 2016, at 18:09, James Murphy <james.murphy.debian at gmail.com> wrote: > > The more mainstream thing to do is just use gpg, which has this > functionality already built in. Is this not suitable for your use case? The advantage of Colin's approach is that gpg requires out of band exchange of gpg keys separately from ssh keys. If you already have ssh keys

On Sat, 11 Nov 2023, Bob Proulx wrote: > I am supporting a site that allows members to upload release files. I > have inherited this site which was previously existing. The goal is > to allow members to file transfer to and from their project area for > release distribution but not to allow general shell access and not to > allow access to other parts of the system. > >

> On 24 Jan 2017, at 06:01, Darren Tucker <dtucker at zip.com.au> wrote: > > On Tue, Jan 24, 2017 at 4:54 PM, Vishwanath KC <vicchi.cit at gmail.com> wrote: > [...] >> Distributor ID: Debian >> Description: Debian GNU/Linux 8.2 (jessie) > > As you've seen, sshd requires that the system's getpwnam() function > knows the user, without which

On Fri, Jan 15, 2016 at 1:07 PM, Alex Bligh <alex at alex.org.uk> wrote: > On 15 Jan 2016, at 11:44, Thomas ? Habets <habets at google.com> wrote: >> On 15 January 2016 at 08:48, Alex Bligh <alex at alex.org.uk> wrote: [snip] > 3. Server compares supplied address/port pair with what it sees > (to detect DNAT like Amazon elastic IPs), and if they are the >

Does xen-4.1.1 really require python 2.7 (as per Ubuntu packaging) or will it actually work on python 2.6? I am trying to backport it to an Ubuntu LTS version and would rather not have to bring in Python 2.7 if possible. -- Alex Bligh

Odd question I know. I am looking for source for as recent a kernel as possible running the old style xenlinux/xenified kernel (i.e. capable of running the xen3.3.x hypervisor). Any ideas where I can get this - preferably in git form? I think Stefano Stabellini had something that worked up to 2.6.36 (from memory). And yes, we would all prefer all our customers moved to xen4 but this is difficult

On 20 Mar 2016, at 19:15, Philip Hands <phil at hands.com> wrote: > Is anyone going to be upset by the resulting blank lines being added by > ssh-copy-id when the file was not missing a terminating newline? Well it would be at least mildly annoying my previously nice looking file now has a pile of blank lines in just because someone didn't know how to use their editor ... --

Is there a good reason why known_hosts stores the address of the server but not the port? This is annoying when one host is running more than one instance of openssh with different ports and different keys, or (less tractably) when a NAT in front of multiple hosts multiplexes which host is connected to by port number. I see no immediate security implication in fixing this, but am I missing

On Mon, Sep 26, 2016 at 11:43:42AM +0100, Alex Bligh wrote: > > > On 26 Sep 2016, at 10:21, Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006@gmx.net> wrote: > > > > Wow, that was quick! Thank you. > > > > I stumbled upon another problem: Apparently nbd-tester-client and nbdkit > > disagree on what constitutes a valid flush request. > >