On 8 May 2009, at 22:36, Ton Voon wrote: "I've just thought - the other way of doing this is to create a new ssh public/private key on the slave. Then put the public key on the master but you restrict the command in ssh to run only a certain command (see ssh documentation re: restricting the command).
This means that the slave can ssh to nag...@master, but can only run a single command, which can just be your cat command. This avoids having to change rc.opsview-slave and should be sufficient for your security needs." That's a very good point and I'll run this by them. Perhaps just specifying no-pty may suffice, although I'm unsure if this would then allow the tunnels to be generated. However, they seem very insistent on not having a shell for that user at all. They don't want anything to be able to bypass it (scp, forwarding, etc.) and are even pushing for something more secure than /bin/cat (like some entirely blocking binary that fundamentally does nothing at all). Thanks very much for your help. _______________________________________________ Opsview-users mailing list [email protected] http://lists.opsview.org/listinfo/opsview-users
