Linux-Noob Forums
how do I only allow the keygen pair to only allow SCP usage - Printable Version

+- Linux-Noob Forums (https://www.linux-noob.com/forums)
+-- Forum: Linux Noob (https://www.linux-noob.com/forums/forum-3.html)
+--- Forum: How Do I? (https://www.linux-noob.com/forums/forum-60.html)
+--- Thread: how do I only allow the keygen pair to only allow SCP usage (/thread-782.html)



how do I only allow the keygen pair to only allow SCP usage - karamorf - 2008-11-15


I want to be able to write a script to basically back up files from other servers. I've got it working from perl grabbing these files without having to ask for password (by using the rsa public/private key I generated and automatically accepting any connection to any foreign host). But what I'm having problems figuring out how to do is only allowing this key pair to issue the scp command (meaning if someone tries to connect to the other servers from the server with the private key it should ask for a password since it cant use the public key on the other server to authenticate ssh since that public key only allows scp usage).

 

Google doesn't seem to be helping much, only get guides on how to generate the key pairs (god is there enough of them?) and I seem to be incapable of finding out how to put limits on the public key (though this could be because I don't know what specifically I'm looking for). I've made some progress, adding command="scp" to the begging of the key does prevent ssh from working but it also breaks scp (basically it looks like the command "scp" was entered without anything else, not the command my perl script was trying to issue against it).

 

Any help would be greatly appreciated, even if it is only a link to a detailed tutorial of all the little things you can set up in the key file.




how do I only allow the keygen pair to only allow SCP usage - Dungeon-Dave - 2008-11-17


You may want to look up the "rsync" command: http://www.samba.org/rsync/ - this could be what you're after if you're looking at making remote backups of files.

 

I take remove backups by having my server(s) making backups files into a directory accessible via apache. I then use apache to secure the directory containing the files so that they're only accessible from specific IP addresses (or with some username/pass combination), so they're not viewable by the general public.

 

I then have a scheduled job that pulls down the backups using "wget" to my home server. Logfiles on both servers show successful downloads (or failed connection attempts, but I've not had any of the latter, luckily).

 

The advantage of this method is that others are able to take backups like I do, but they don't get SSH/SCP/SFTP access to the server - just HTTP access to a specific page. Again, Apache logfiles can verify who/when backups were taken.

 

If you want copies of those scripts, I'm willing to upload them here, but I think rsync is more the beast you're after.