A Handy SSH Feature

One method to limit SSH access is generating a key pair and restricting how those keys can be used. An example is to allow shell scripts to run in automated mode yet prevent interactive access.

SSH supports certain limitations within the user’s authorized_keys file. For example:

from="$DEVICE_IP_ADDRESS",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $USER_PUBLIC_KEY

This entry in the user’s authorized_keys file prevents the respective user account at $DEVICE_IP_ADDRESS from opening a terminal shell or running X tools on the destination system yet allows shell scripts to function. SSH access is non-interactive.

This feature does not prevent malicious behavior. A malicious actor could execute ssh $USER@$COMPUTER "rm -rf /etc" or overwrite or snoop files using scp.

Limiting actions is possible with the command= option. When that option is used, regardless of what command the remote user sends, the explicit command defined in the authorized_keys file for that public key is executed and the original command is ignored.

Posted: Category: Usability Tagged: General

Next: Slackware Minimal Install

Previous: VBoxManage Error