Restrict "serve" command to "create" operation only

[xdml]

This is security enhancement as well as --restrict-to-path option for server command.

Usage

Doing remote backups over ssh using ssh key based authentication.

Backup admin restricts serve command on server for automated ssh keys (without passphrase) to create command only (executed on machines).

If machine is compromised, attacker gets access to ssh key, that is restricted to create command only and will not be able to list, delete, prune, extract, mount and other commands from machine.

Sys admin should have another ssh key (agent forwarded personal key or shared stored with passphrase) that is not restricted to create command only.

In large environments kerberos should be used insead ssh key based authentication.

[monkz]

i would like to see this as well.

[ThomasWaldmann]

+1

[fl0at]

Attic doesn't necessarily even need to be aware of SSH: as long as attic serve passes along restrictive/explicit flags for path, permissions and the like, the authorized_keys command="foo --bar /qux/baz" configuration can limit access via the power of OpenSSH.

This is something I do all the time with rsync to limit path, bidirectionality, etc, and would probably work here :) (Eg, command="rsync --server --sender -vvtrze.iLs . /var/backup/")