Saturday, August 14, 2010

Restricted SSH key access

I am NOT going to discuss here how we generate a SSH key pair and setup a pass-phraseless access between two computer systems - rather a very less known , yet very strong access restriction facility that is available with authorized_keys file.

A simple distribution of public key allows any remote host where the private key is known to make any kind of ssh connection (login, remote command execution, port forwarding, etc.) to the computer. But there are a number of restrictions that can be implemented in an authorized_keys to further restrict the access. The $HOME/.ssh/authorized_keys file on the client not only provides a means for public key authentication, but can also impose certain restrictions. The syntax or format of the file is:


It has four phrases -

options - keytype - encoded-key - comment


Host Access Restriction:

from="pattern list"

e.g.

from="*.dk.mydomain.com,escbps.mydomain.com" ssh-rsa ...

..................... debu@esprdmon1.mydomain.com

-This will allow access only from the mentioned host or domain, and other clients will still unable to access this host even though they posses a valid private key.

Forced command:

This method helps to execute the mentioned "command" whenever this key authenticates, and will ignore whatever command the remote user has supplied. This is one of the most powerful uses of SSH public key authentication, and usually is used to create task-specific key pair.

--clip--
from="escbps.mydomain.com ",command="/usr/local/bin/command", no-port-forwarding ssh-rsa AAAA
......
--clap--

Other options:

Well there exists some other ssh facilities too which can be used to suppress by adding any of the following options to the options section -

no-X11-forwarding,no-port-forwarding,no-agent-forwarding,no-pty

In an environment where passphraseless access is a must and where entirely automated remote connections keeps on flowing , it is generally a good idea to apply these options unless they actually needs one of these facilities.

Cheers!

DK

No comments:

Post a Comment

8c tips for Freshers / NCG's

I have been having a great company with some of the very talented NCG’s ( New College Hires/ Grads ) last ~2yrs.  I work for Intuit I...