[nycbug-talk] a righteous ssh hack, or how to do fine grained auth with only one login

Pete Wright pete at nomadlogic.org
Wed Oct 5 12:18:18 EDT 2011

On 10/4/11 8:50 PM, Brian Gupta wrote:
>  From the section for authorized_keys from the man page for sshd:
>       command="command"
>               Specifies that the command is executed whenever this key is used
>               for authentication.  The command supplied by the user (if any) is
>               ignored.  The command is run on a pty if the client requests a
>               pty; otherwise it is run without a tty.  If an 8-bit clean chan‐
>               nel is required, one must not request a pty or should specify
>               no-pty.  A quote may be included in the command by quoting it
>               with a backslash.  This option might be useful to restrict cer‐
>               tain public keys to perform just a specific operation.  An exam‐
>               ple might be a key that permits remote backups but nothing else.
>               Note that the client may specify TCP and/or X11 forwarding unless
>               they are explicitly prohibited.  The command originally supplied
>               by the client is available in the SSH_ORIGINAL_COMMAND environ‐
>               ment variable.  Note that this option applies to shell, command
>               or subsystem execution.
> I don't know if they are using this exactly, but it is the closest
> native behavior I know of where different keys under the same account
> have different behavior.
yea I like that functionality too.  we use this currently for puppet 
configs stored in svn.  we have a special RSA key installed on our svn 
repository for our the UID we run puppet as.  so when we have our 
puppetmaster svn up itself it executes only our predetermined svn co 
code as defined by "command=svn up command here, $RSA_PUB_KEY"


Pete Wright
pete at nomadlogic.org

More information about the talk mailing list