[nycbug-talk] a righteous ssh hack, or how to do fine grained auth with only one login
Brian Gupta
brian.gupta at gmail.com
Tue Oct 4 23:50:47 EDT 2011
>From the section for authorized_keys from the man page for sshd:
command="command"
Specifies that the command is executed whenever this key is used
for authentication. The command supplied by the user (if any) is
ignored. The command is run on a pty if the client requests a
pty; otherwise it is run without a tty. If an 8-bit clean chan‐
nel is required, one must not request a pty or should specify
no-pty. A quote may be included in the command by quoting it
with a backslash. This option might be useful to restrict cer‐
tain public keys to perform just a specific operation. An exam‐
ple might be a key that permits remote backups but nothing else.
Note that the client may specify TCP and/or X11 forwarding unless
they are explicitly prohibited. The command originally supplied
by the client is available in the SSH_ORIGINAL_COMMAND environ‐
ment variable. Note that this option applies to shell, command
or subsystem execution.
I don't know if they are using this exactly, but it is the closest
native behavior I know of where different keys under the same account
have different behavior.
- Brian Gupta
New York City user groups calendar:
http://nyc.brandorr.com/
On Mon, Oct 3, 2011 at 6:28 PM, Marc Spitzer <mspitzer at gmail.com> wrote:
> http://sitaramc.github.com/gitolite/doc/gitolite-and-ssh.html
>
> how does gitolite use all this ssh magic?
>
> These are two different questions you ought to be having by now:
>
> how does it distinguish between me and someone else, since we're
> all logging in as the same remote user "git"
> how does it restrict what I can do within a repository
>
> its a cool hack go read
>
> --
> Freedom is nothing but a chance to be better.
> --Albert Camus
>
> The problem with socialism is that eventually you run out
> of other people's money.
> --Margaret Thatcher
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>
More information about the talk
mailing list