home | list info | list archive | date index | thread index

Re: [OCLUG-Tech] Automatic upload of files to server

One thing you could do is use the "command=" option in the
.ssh/authorized_keys file to force execution of a particular command
when ssh/scp is run using a particular public key.  You could then write
a small bash or perl script to force scp and force it to the file of
your choice.

For example, putting this in your authorized_keys

command="/path/to/ssh_gate" ssh-rsa AAAAB...ZZZ comment_field

would force the execution of "/path/to/ssh_gate" when ssh/scp is invoked
with the AAA... public_key.

/path/to/ssh_gate could contain:

#!/bin/bash
/usr/bin/scp -t temp_file
cat temp_file >> other_file
rm temp_file

which would invoke the receiving end of the scp connection (the '-t'
option), but force the destination file to be temp_file ignoring the
user supplied filename, and then cat'ing the file, for example, to other
previously collected data.  It would have the side effect of disabling
shell access, since only scp will be invoked.  The user must use scp,
anything else will fail with protocol errors.

If you want to try for fancier per-user file names, the
SSH_ORIGINAL_COMMAND environment variable will have in it what you would
expect, which you could then parse, validate and use.

Michael

John C Nash wrote:
> I'm trying to get various statisticians to run performance tests on
> their machinery and have my "tester" put the results (roughly 30K file
> per run) onto my server. I can do this in a cross-platform way with scp
> (pscp in Windows, not sure on Mac yet, but there should be an scp
> client). However, this uses key pairs and possibly opens up the pseudo
> user on my server. Does anyone have pointers to how to lock down
> security holes? I'd like to avoid using web protocols and just keep ssh
> open if I can.
> 
> JN
> 
> _______________________________________________
> Linux mailing list
> Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca
> http://oclug.on.ca/mailman/listinfo/linux