One thing you could do is use the "command=" option in the .ssh/authorized_keys file to force execution of a particular command when ssh/scp is run using a particular public key. You could then write a small bash or perl script to force scp and force it to the file of your choice. For example, putting this in your authorized_keys command="/path/to/ssh_gate" ssh-rsa AAAAB...ZZZ comment_field would force the execution of "/path/to/ssh_gate" when ssh/scp is invoked with the AAA... public_key. /path/to/ssh_gate could contain: #!/bin/bash /usr/bin/scp -t temp_file cat temp_file >> other_file rm temp_file which would invoke the receiving end of the scp connection (the '-t' option), but force the destination file to be temp_file ignoring the user supplied filename, and then cat'ing the file, for example, to other previously collected data. It would have the side effect of disabling shell access, since only scp will be invoked. The user must use scp, anything else will fail with protocol errors. If you want to try for fancier per-user file names, the SSH_ORIGINAL_COMMAND environment variable will have in it what you would expect, which you could then parse, validate and use. Michael John C Nash wrote: > I'm trying to get various statisticians to run performance tests on > their machinery and have my "tester" put the results (roughly 30K file > per run) onto my server. I can do this in a cross-platform way with scp > (pscp in Windows, not sure on Mac yet, but there should be an scp > client). However, this uses key pairs and possibly opens up the pseudo > user on my server. Does anyone have pointers to how to lock down > security holes? I'd like to avoid using web protocols and just keep ssh > open if I can. > > JN > > _______________________________________________ > Linux mailing list > Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca > http://oclug.on.ca/mailman/listinfo/linux