Friday Reminder: Web Site Security

• Previous message (by thread): Friday Reminder: Web Site Security
• Next message (by thread): Integrated WIFI router and phone adapter
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, May 15, 2020 at 07:24:51PM -0400, Valdis Klētnieks wrote:
> And yes, I know that automated systems can't use passphrases.. so remember to
> check to see if you can use 'force-command=' in the known hosts file so that the
> key can only issue one command.  (yes, this means that if the automation host has
> to do a dozen different things, it needs a dozen keypairs.  Security is always tradeoffs.)

No need for trade-offs here; you can have a `command=` (it's not
`force-command=`) wrapper script that validates the command that was sent
(via `$SSH_ORIGINAL_COMMAND`) and does an `exec` if it's on the "approved"
list.  One key, many commands, any command you don't allow gets blocked.

- Matt

• Previous message (by thread): Friday Reminder: Web Site Security
• Next message (by thread): Integrated WIFI router and phone adapter
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]