Configuring Machines to allow scripts secure remote access

1. On the scripting machine, create a private/public ssh key pair for the task.
   ssh-keygen -t dsa -b 1024 -i /some/restricted/location/identity -P ''
   Note, /some/restricted/location should be accessible by only the userid under which the script is running, eg mode 700 in Unix/Linux. The identity file will be created mode 400.
   
2. Create an account on the target with a non-obvious name. Bad examples would include names such as 'remoteuser', 'guest', 'test'.
3. On the target machine, copy the task's public key into the authorized_keys file of the new account with the following restrictions:
   • from="some host list"
   • no-port-forwarding
   • no-X11-forwarding
   • no-agent-forwarding
   • command="command"

For example, the authorized keys file on the
target machine for the account would look like:

command="uptime",from="scripting.machine.duke.edu",
no-pty-forwarding,no-X11-forwarding,no-agent-forwarding
ssh-dss AAAAB3NzaC1kc3MAAACBAIwf6
JWchR+fLaq6oahXKl0QAA2/e9acg7dHWzUhm/fEJ9u4Qq3SC8p
lB1a9IcuA1LuQCtG9Jp8piYjr903lXWLHfocuFFQw/IHeW6S6z
dJGUrHyjpR36O84ds21TSL1WMoAHcaJOEIcDkA9th9i5ipJh36
Q=adr= acct2@somemachine.at.duke.edu


Note, this would all be on one line and this key has been shortened for readability

To test from the machine scripting.machine.duke.edu:

$userid = "acct2";
$id = "/some/restricted/location/identity";
$sshopts = "-x -2 -o PasswordAuthentication=no -o ConnectionAttempts=2";
/usr/bin/ssh $sshopts -l $userid -i $id $target 'uptime'




Information is taken from the sshd and ssh-keygen man pages.