Friday Reminder: Web Site Security
Matt Palmer
mpalmer at hezmatt.org
Sat May 16 03:10:37 UTC 2020
On Fri, May 15, 2020 at 07:24:51PM -0400, Valdis Klētnieks wrote:
> And yes, I know that automated systems can't use passphrases.. so remember to
> check to see if you can use 'force-command=' in the known hosts file so that the
> key can only issue one command. (yes, this means that if the automation host has
> to do a dozen different things, it needs a dozen keypairs. Security is always tradeoffs.)
No need for trade-offs here; you can have a `command=` (it's not
`force-command=`) wrapper script that validates the command that was sent
(via `$SSH_ORIGINAL_COMMAND`) and does an `exec` if it's on the "approved"
list. One key, many commands, any command you don't allow gets blocked.
- Matt
More information about the NANOG
mailing list