On Thu, May 28, 2015 at 05:56:05PM -0700, Rick Stevens wrote:
On 05/28/2015 04:40 PM, Suvayu Ali wrote:
>
>I think the magic incantation for me was command="somecommand" is
>actually the whole command, with all the arguments. From the man page,
>this wasn't clear to me. I was trying to setup passwordless root login
>with PermitRootLogin set to forced-commands-only for backups with
>rsnapshot.
Ah, yes, you have to put in the whole command and arguments. If you need
spaces to separate arguments, then everything after the '=' has to be
enclosed in quotes:
command="somecommand -arg1 -arg2 -arg3"
etc. You can put in multiple options, too:
command="somecommand -arg1 -arg2 -arg3",from="*.mydomain.com"
to restrict the user so they'd have to log in from hosts in the
"mydomain.com" DNS domain and the only thing that'd happen if they
did was have "somecommand" run automatically. They'd be disconnected
immediately after "somecommand" completed.
I think I played with this successfully. :)
>Btw, to allow multiple commands from the same host, I guess I
should
>have multiple lines for the same public key? Also, any ideas what
>should be the command to allow rsnapshot backups? I guess I need to
>figure out what are the arguments passed onto rsync by rsnapshot, and in
>which order.
AFAIK, you can only have one "command=" per line (or stanza) in the
authorized_keys file for each user. Otherwise, how would the client
specify which to run?
Yes, I see that now after reading Gordon's reponse.
You might be able to do some fancy footwork using "Match"
clauses in
the /etc/ssh/sshd_config file, but I've never done anything more than
simple matches (match on username or address patterns to put in some
additional restrictions).
I'll explore this if I feel I need it, but probably I don't need
something that complicated.
Thanks again,
--
Suvayu
Open source is the future. It sets us free.