[CentOS] Howto: Extremely tight security rsync shell for backups

Mon Sep 23 21:52:23 UTC 2013
Lists <lists at benjamindsmith.com>

On 09/23/2013 02:44 PM, m.roth at 5-cent.us wrote:
> Lists wrote:
>> On 09/23/2013 01:50 PM, Les Mikesell wrote:
>>> Is there something that convinces you that sudo is better at handling
>>> the command restriction than sshd would be?
>> In the context of a production server, the idea is to remove any ability
>> from another host (EG: backup server) to run local arbitrary code or
>> change local files. (read-only)
> <snip>
>> You can disable the password on the backup account to achieve a similar
>> effect using an SSHD option. If there's a better/simpler way to do this
>> via SSHD option I'd love to hear about it!
>>
> Sure. You disable password authentication, and allow keys only, in
> /etc/ssh/sshd_config.
>

This prohibits SSH logins via password, but does not strictly enforce 
what commands are allowed to be run (and all options allowed) by a 
specific which is what I was looking for.

Having done a bit more research, It does appear that you could use the 
"ForceCommand" option and disable passwords altogether for a user to 
achieve a similar effect with SSHD.

-Ben