[nycbug-talk] a righteous ssh hack, or how to do fine grained auth with only one login
brian.gupta at gmail.com
Tue Oct 4 23:50:47 EDT 2011
>From the section for authorized_keys from the man page for sshd:
Specifies that the command is executed whenever this key is used
for authentication. The command supplied by the user (if any) is
ignored. The command is run on a pty if the client requests a
pty; otherwise it is run without a tty. If an 8-bit clean chan‐
nel is required, one must not request a pty or should specify
no-pty. A quote may be included in the command by quoting it
with a backslash. This option might be useful to restrict cer‐
tain public keys to perform just a specific operation. An exam‐
ple might be a key that permits remote backups but nothing else.
Note that the client may specify TCP and/or X11 forwarding unless
they are explicitly prohibited. The command originally supplied
by the client is available in the SSH_ORIGINAL_COMMAND environ‐
ment variable. Note that this option applies to shell, command
or subsystem execution.
I don't know if they are using this exactly, but it is the closest
native behavior I know of where different keys under the same account
have different behavior.
- Brian Gupta
New York City user groups calendar:
On Mon, Oct 3, 2011 at 6:28 PM, Marc Spitzer <mspitzer at gmail.com> wrote:
> how does gitolite use all this ssh magic?
> These are two different questions you ought to be having by now:
> how does it distinguish between me and someone else, since we're
> all logging in as the same remote user "git"
> how does it restrict what I can do within a repository
> its a cool hack go read
> Freedom is nothing but a chance to be better.
> --Albert Camus
> The problem with socialism is that eventually you run out
> of other people's money.
> --Margaret Thatcher
> talk mailing list
> talk at lists.nycbug.org
More information about the talk