On 09/23/2013 02:44 PM, m.roth at 5-cent.us wrote: > Lists wrote: >> On 09/23/2013 01:50 PM, Les Mikesell wrote: >>> Is there something that convinces you that sudo is better at handling >>> the command restriction than sshd would be? >> In the context of a production server, the idea is to remove any ability >> from another host (EG: backup server) to run local arbitrary code or >> change local files. (read-only) > <snip> >> You can disable the password on the backup account to achieve a similar >> effect using an SSHD option. If there's a better/simpler way to do this >> via SSHD option I'd love to hear about it! >> > Sure. You disable password authentication, and allow keys only, in > /etc/ssh/sshd_config. > This prohibits SSH logins via password, but does not strictly enforce what commands are allowed to be run (and all options allowed) by a specific which is what I was looking for. Having done a bit more research, It does appear that you could use the "ForceCommand" option and disable passwords altogether for a user to achieve a similar effect with SSHD. -Ben