[nycbug-talk] a righteous ssh hack, or how to do fine grained auth with only one login

Brian Gupta brian.gupta at gmail.com
Tue Oct 4 23:50:47 EDT 2011


>From the section for authorized_keys from the man page for sshd:

     command="command"
             Specifies that the command is executed whenever this key is used
             for authentication.  The command supplied by the user (if any) is
             ignored.  The command is run on a pty if the client requests a
             pty; otherwise it is run without a tty.  If an 8-bit clean chan‐
             nel is required, one must not request a pty or should specify
             no-pty.  A quote may be included in the command by quoting it
             with a backslash.  This option might be useful to restrict cer‐
             tain public keys to perform just a specific operation.  An exam‐
             ple might be a key that permits remote backups but nothing else.
             Note that the client may specify TCP and/or X11 forwarding unless
             they are explicitly prohibited.  The command originally supplied
             by the client is available in the SSH_ORIGINAL_COMMAND environ‐
             ment variable.  Note that this option applies to shell, command
             or subsystem execution.

I don't know if they are using this exactly, but it is the closest
native behavior I know of where different keys under the same account
have different behavior.

- Brian Gupta

New York City user groups calendar:
http://nyc.brandorr.com/




On Mon, Oct 3, 2011 at 6:28 PM, Marc Spitzer <mspitzer at gmail.com> wrote:
> http://sitaramc.github.com/gitolite/doc/gitolite-and-ssh.html
>
> how does gitolite use all this ssh magic?
>
> These are two different questions you ought to be having by now:
>
>    how does it distinguish between me and someone else, since we're
> all logging in as the same remote user "git"
>    how does it restrict what I can do within a repository
>
> its a cool hack go read
>
> --
> Freedom is nothing but a chance to be better.
> --Albert Camus
>
>  The problem with socialism is that eventually you run out
> of other people's money.
> --Margaret Thatcher
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>



More information about the talk mailing list