Securing passphrase-less ssh, using ssh-agent, command=, sudo and rrsync
I just came across yet another example of someone assuming that it's OK to create a passphrase-less ssh key and grant it root access on a remote machine.
Prompted by that, I've written how to do passphraseless-ssh properly.
One trick that I mention is having a script like this:
#!/usr/bin/ssh-agent /bin/sh ssh-add ssh -A remote-server ~/bin/kick-off-job
allowing the remote machine to access us, but only when we're talking to them.