[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Friday Reminder: Web Site Security

Subject: Friday Reminder: Web Site Security
From: mpalmer at hezmatt.org (Matt Palmer)
Date: Sat, 16 May 2020 13:10:37 +1000
In-reply-to: <332935.1589585091@turing-police>
References: <[email protected]> <332935.1589585091@turing-police>

On Fri, May 15, 2020 at 07:24:51PM -0400, Valdis KlÄ?tnieks wrote:
> And yes, I know that automated systems can't use passphrases.. so remember to
> check to see if you can use 'force-command=' in the known hosts file so that the
> key can only issue one command.  (yes, this means that if the automation host has
> to do a dozen different things, it needs a dozen keypairs.  Security is always tradeoffs.)

No need for trade-offs here; you can have a `command=` (it's not
`force-command=`) wrapper script that validates the command that was sent
(via `$SSH_ORIGINAL_COMMAND`) and does an `exec` if it's on the "approved"
list.  One key, many commands, any command you don't allow gets blocked.

- Matt

References:
- Friday Reminder: Web Site Security
  - From: rfg at tristatelogic.com (Ronald F. Guilmette)
- Friday Reminder: Web Site Security
  - From: valdis.kletnieks at vt.edu (Valdis Klētnieks)

Prev by Date: Friday Reminder: Web Site Security
Next by Date: Friday Reminder: Web Site Security
Previous by thread: Friday Reminder: Web Site Security
Next by thread: Integrated WIFI router and phone adapter
Index(es):
- Date
- Thread