nanog mailing list archives
Re: Friday Reminder: Web Site Security
From: Matt Palmer <mpalmer () hezmatt org>
Date: Sat, 16 May 2020 13:10:37 +1000
On Fri, May 15, 2020 at 07:24:51PM -0400, Valdis Klētnieks wrote:
And yes, I know that automated systems can't use passphrases.. so remember to check to see if you can use 'force-command=' in the known hosts file so that the key can only issue one command. (yes, this means that if the automation host has to do a dozen different things, it needs a dozen keypairs. Security is always tradeoffs.)
No need for trade-offs here; you can have a `command=` (it's not `force-command=`) wrapper script that validates the command that was sent (via `$SSH_ORIGINAL_COMMAND`) and does an `exec` if it's on the "approved" list. One key, many commands, any command you don't allow gets blocked. - Matt
Current thread:
- Friday Reminder: Web Site Security Ronald F. Guilmette (May 15)
- Re: Friday Reminder: Web Site Security Valdis Klētnieks (May 15)
- Re: Friday Reminder: Web Site Security William Herrin (May 15)
- Re: Friday Reminder: Web Site Security Mike Hale (May 15)
- Re: Friday Reminder: Web Site Security Etienne-Victor Depasquale (May 16)
- Re: Friday Reminder: Web Site Security William Herrin (May 15)
- Re: Friday Reminder: Web Site Security Matt Palmer (May 15)
- Re: Friday Reminder: Web Site Security Valdis Klētnieks (May 15)