Plus the scripts that
- when calling ssh dsync first writes the username to stdout (before dsync starts communicating)
and
- dsync.sh on remote first reads the username from stdin, before execing dsync itself
Because it's not possible to give -u $username parameter in the authorized_keys cmd itself. That's the only changing parameter that is needed.
On 15.3.2012, at 23.49, David Ford wrote:
in ~privilgeduser/.ssh/authorized keys:
from=<list of hosts key is valid for> cmd=dsync.sh pubkey...
On 03/15/2012 05:05 PM, Timo Sirainen wrote:
Then again it's safer to use system user accounts than a single vmail account that has access to everyone's emails. And if you allow ssh login only with public key authentication I don't think there are much security issues. And finally, it would be possible to write a small wrapper that allows the root's public key auth to only execute dsync-user.sh script that can't do anything except sync a specified user's mails.