On Fri, Oct 08, 2010 at 10:05:50AM +0200, Andrea Conti wrote:
> Now, the remote sshd is never sent any information about what is
> connected to the local end of the pipe (which is not even known to
> ssh!), so there is no way to alter its behavior depending on that.
>
> IOW, nothing in the setup you and I proposed prevents the user from
> piping an arbitrary command into ssh (or even using a ssh-invoking
> wrapper such as scp or rsync) and getting successfully authenticated on
> the server. You are only guaranteed that the server will run tar in
> place of whatever remote command the client requests, so that the
> connection will break if the client side sends non-tar data.
>
> In my opinion this is quite different from "[allowing] only one single
> command from a single cronjob to operate passwordless", but then I might
> just be splitting hairs.
Okay, reading your explanation I agree with you on both counts: the
behaviour does not exactly fit the letter of the question, and that
you are splitting hairs because I think the behaviour is good enough
for the spirit of the message.
Cheers,
W
--
Willie W. Wong ww...@math.princeton.edu
Data aequatione quotcunque fluentes quantitae involvente fluxiones invenire
et vice versa ~~~ I. Newton
