On Monday 06 August 2001 18:29, Maarten J H van den Berg wrote: [followup to self, with additional info...] Let me explain this setup a bit more: Let's say, on the client named foobarclient.com you wish to run this next command in a backupscript: rsync -e ssh -ogLv /var/foobar.tar.gz root@foobarserver.com:/var/backup/ Which sends a file with rsync, tunneled through ssh. You make a certificate without passphrase for the user that will run this, and that certificate you add to the servers' authorized_keys file, but WITH the below additions(!): root@foobarserver.com:~ # cat .ssh/authorized_keys [line wrapped, all this belongs on 1 line!] command="rsync --server -vLog . /var/backup/",no-port-forwarding,no-X11-forwarding, no-agent-forwarding 1024 35 1534927354983xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx393344741 root@foobarclient.com Now whatever the client does, the server will enforce the command that is inside the authorized_keys file every time that specific certificate is used to connect. No matter what the client tells it to run instead, the server will not allow you to run any other command. You can add more options to make it even more secure, for instance the client IPnumber, etc. I've been using this for a while now, with good results. To find out how a client command translates to the command which the server "sees", you have to run sshd in debugmode, you can then cut & paste the command= line from your logs. Good luck, Maarten -- Maarten J. H. van den Berg ~~//~~ network administrator van Boetzelaer van Bemmel - Amsterdam - The Netherlands http://vbvb.nl T+31204233288 F+31204233286 G+31651994273