Authorized Key Commands
Published on 23 Jan 2005Tags #SSH
Please be sure to have read and understood public key authentication. In ~/.ssh/authorized_keys
a public key may be prepended by comma-separated list of options:
-
command=”HARD_CMD”
The supplied command (HARD_CMD) is executed instead of any command which is supplied via the command line (SOFT_CMD). Although the client cannot bypass this mechanism, the server can still allow SOFT_CMD to be executed. read on the find out more.
-
from=”PATTERN-LIST”
This is a comma-separated list of patterns to restrict the client addresses which are allowed to use the corresponding private key to connect to the server. pattern may use * and ?.
-
no-port-forwarding
Port forwarding is prohibited for connections using this public key.
-
no-X11-forwarding
x11 forwarding is prohibited for connections using this public key.
-
no-agent-forwarding
Agent forwarding is prohibited for connections using this public key.
Executing SOFT_CMD although HARD_CMD is specified:
-
Make HARD_CMD a script and place it on the server
-
The corresponding client can be identified by an environment variable (
SSH_CLIENT
) -
SOFT_CMD is provided via an environment variable (
SSH_ORIGINAL_COMMAND
) -
Based on those two environment variables HARD_CMD can decide whether to execute SOFT_CMD
Example script:
#!/usr/bin/perl
use strict;
use warnings;
my ($remote_ip, $remote_port, $local_port) = split(' ', $ENV{'SSH_CLIENT'});
my $command = $ENV{'SSH_ORIGINAL_COMMAND'};
my $oh_yeah = 0;
if ($remote_ip =~ m/^XXX.YYY./) {
if ($command eq 'SOFT_CMD') {
$oh_yeah = 1;
}
}
if ($oh_yeah) {
system($command);
}