在服务器端,您可以通过 IP 地址或主机名设置额外的限制,但这并不真正安全(例如,IP 地址可能是伪造的)。如果要运行应用程序的计算机已经安装了 SSH,则它们应该具有主机密钥,并且也许您可以进行主机身份验证。但这仍然只有在这些主机或多或少在您的控制之下时才真正有用。
Everything is possible with the right configurations, but there are some security points to consider.
You certainly don't want everyone on the net to be able to execute any command on your server. So simply allowing everything is not a good idea.
Everyone who has your application on a computer in her control can do everything what your application can do ... and maybe more, if the application has limits only build in itself, not the server side.
You can distribute a private key with your application (and pass to SSH on connection), but of course then anyone having the application can extract this key. (If the application can access it, so can do any attacker who has control over it.)
You could also distribute a password with your application and somehow pass it to ssh, but still, in principle anyone who has the application can get the password.
If there is always the same command to be executed (maybe with different inputs), you can force this specific command at the server-side - for example, for a specific public key in the authorized_keys file. Or you could create a SSH subsystem and only allow this by server configuration.
On the server side, you can put additional limits by IP address or host name, but this is not really secure (IP adresses can be faked, for example). If the computers on which the application is to be run have already existing SSH installations, they should have host keys, and maybe you can do host authentication. But this is still only really useful if these hosts are under your control, more or less.
For security issues, a password (if you don't use a certificate) will always asked to you interactively, unless you configure server in an advanced way.
You can use a certificate, by inserting password one time.
发布评论
评论(3)
只要配置正确,一切皆有可能,但需要考虑一些安全点。
您当然不希望网络上的每个人都能够在您的服务器上执行任何命令。因此,简单地允许一切并不是一个好主意。
在她控制的计算机上拥有您的应用程序的每个人都可以执行您的应用程序可以执行的所有操作...甚至更多,如果应用程序仅在其自身而不是服务器端构建限制。
您可以使用您的应用程序分发私钥(并在连接时传递给 SSH),但是当然,拥有该应用程序的任何人都可以提取该密钥。 (如果应用程序可以访问它,那么任何控制它的攻击者也可以访问它。)
您还可以与您的应用程序一起分发密码并以某种方式将其传递给 ssh,但原则上任何拥有该应用程序的人都可以获取密码。
如果始终要执行相同的命令(可能使用不同的输入),您可以在服务器端强制执行此特定命令 - 例如,针对authorized_keys 文件中的特定公钥。或者,您可以创建一个 SSH 子系统,并且仅通过服务器配置允许这样做。
在服务器端,您可以通过 IP 地址或主机名设置额外的限制,但这并不真正安全(例如,IP 地址可能是伪造的)。如果要运行应用程序的计算机已经安装了 SSH,则它们应该具有主机密钥,并且也许您可以进行主机身份验证。但这仍然只有在这些主机或多或少在您的控制之下时才真正有用。
Everything is possible with the right configurations, but there are some security points to consider.
You certainly don't want everyone on the net to be able to execute any command on your server. So simply allowing everything is not a good idea.
Everyone who has your application on a computer in her control can do everything what your application can do ... and maybe more, if the application has limits only build in itself, not the server side.
You can distribute a private key with your application (and pass to SSH on connection), but of course then anyone having the application can extract this key. (If the application can access it, so can do any attacker who has control over it.)
You could also distribute a password with your application and somehow pass it to ssh, but still, in principle anyone who has the application can get the password.
If there is always the same command to be executed (maybe with different inputs), you can force this specific command at the server-side - for example, for a specific public key in the authorized_keys file. Or you could create a SSH subsystem and only allow this by server configuration.
On the server side, you can put additional limits by IP address or host name, but this is not really secure (IP adresses can be faked, for example). If the computers on which the application is to be run have already existing SSH installations, they should have host keys, and maybe you can do host authentication. But this is still only really useful if these hosts are under your control, more or less.
出于安全问题,除非您以高级方式配置服务器,否则将始终以交互方式询问您密码(如果您不使用证书)。
您可以通过插入一次密码来使用证书。
看看这个
For security issues, a password (if you don't use a certificate) will always asked to you interactively, unless you configure server in an advanced way.
You can use a certificate, by inserting password one time.
Take a look at this
在 debian 上,存在一个用于此目的的工具,它称为 sshpass (非交互式 ssh 密码提供程序)< /a>
但它带有很多警告和警告!在继续走这条路之前,请确保正确评估风险......
On debian, a tool exists for this and it's called sshpass (a noninteractive ssh password provider)
It comes with lots of warnings and caveats though! Be sure you assess the risks properly before continuing down this path...