<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Thank you, Tim. This is the way for automated single function
system users. I personally never thought that authorized_keys is
anything more than just collection of public keys.<br>
</p>
<div class="moz-cite-prefix">On 2019-09-04 10:18 p.m., Tim Laurence
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAFtr=np50MmvfieeVTBd1fDORHiMtAiYrh34n90ooHhfYw80pA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr">
<div>
<div dir="auto">By editing you authorized_keys file you can
also force ssh to execute a specific command on login.
This will mean whenever a certain key is used it will
automatically launch a specified command such as the
remote end of a rsync client.</div>
<div dir="auto"><br>
</div>
<div dir="auto"><a
href="https://manpages.debian.org/buster/openssh-server/authorized_keys.5.en.html"
target="_blank" moz-do-not-send="true">https://manpages.debian.org/buster/openssh-server/authorized_keys.5.en.html</a></div>
<div dir="auto"><br>
</div>
<div>Look for the 'command=' on the man page above to find
the option that does this.<br>
</div>
</div>
</div>
<div><br>
</div>
<div>--Tim</div>
<div><br>
</div>
<div>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Sep 4, 2019 at
5:55 PM Jason Eckert <<a
href="mailto:jason.eckert@gmail.com" target="_blank"
moz-do-not-send="true">jason.eckert@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Have you tried using /sbin/nologin instead
of /bin/false?</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Sep 4, 2019 at
5:37 PM Paul Nijjar via kwlug-disc <<a
href="mailto:kwlug-disc@kwlug.org" target="_blank"
moz-do-not-send="true">kwlug-disc@kwlug.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">My websearching
skills are failing me on this, so I will ask you smart<br>
people. <br>
<br>
I have an account that is kind of a service account
(humans will not<br>
log into that account) but will be used for rsync via
ssh. For<br>
security I would prefer that this account be locked
down.<br>
<br>
I had set the shell of the user to /bin/false, but
then ssh does not<br>
work. <br>
<br>
I am using a whitelist script I documented here:<br>
<a
href="http://pnijjar.freeshell.org/2015/lock-rsync/"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://pnijjar.freeshell.org/2015/lock-rsync/</a><br>
<br>
Now I am wondering if there is more I can do to lock
down the account.<br>
Setting the shell to /bin/rbash is not helpful unless
I lock down a<br>
bunch of other things. There is an rssh shell that I
have read about,<br>
but I have not tried it yet. <br>
<br>
One thing I am considering is actually setting the
shell for the user<br>
to my whitelist script, which is a python executable.
Is this a<br>
promising idea or a terrible one?<br>
<br>
- Paul<br>
<br>
-- <br>
Get tech event listings: <a
href="https://off-topic.kwlug.org/watcamp"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://off-topic.kwlug.org/watcamp</a><br>
Blog: <a href="http://pnijjar.freeshell.org"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://pnijjar.freeshell.org</a><br>
<br>
_______________________________________________<br>
kwlug-disc mailing list<br>
<a href="mailto:kwlug-disc@kwlug.org" target="_blank"
moz-do-not-send="true">kwlug-disc@kwlug.org</a><br>
<a
href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org</a><br>
</blockquote>
</div>
_______________________________________________<br>
kwlug-disc mailing list<br>
<a href="mailto:kwlug-disc@kwlug.org" target="_blank"
moz-do-not-send="true">kwlug-disc@kwlug.org</a><br>
<a
href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org</a><br>
</blockquote>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
kwlug-disc mailing list
<a class="moz-txt-link-abbreviated" href="mailto:kwlug-disc@kwlug.org">kwlug-disc@kwlug.org</a>
<a class="moz-txt-link-freetext" href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org">http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org</a>
</pre>
</blockquote>
<div class="moz-signature">-- <br>
Mikalai Birukou <br>
CEO | 3NSoft Inc.</div>
</body>
</html>