A simple distribution of public key allows any remote host where the private key is known to make any kind of ssh connection (login, remote command execution, port forwarding, etc.) to the computer. But there are a number of restrictions that can be implemented in an authorized_keys to further restrict the access. The $HOME/.ssh/authorized_keys file on the client not only provides a means for public key authentication, but can also impose certain restrictions. The syntax or format of the file is:
It has four phrases -
options - keytype - encoded-key - comment
Host Access Restriction:
from="*.dk.mydomain.com,escbps.mydomain.com" ssh-rsa ...
-This will allow access only from the mentioned host or domain, and other clients will still unable to access this host even though they posses a valid private key.
This method helps to execute the mentioned "command" whenever this key authenticates, and will ignore whatever command the remote user has supplied. This is one of the most powerful uses of SSH public key authentication, and usually is used to create task-specific key pair.
from="escbps.mydomain.com ",command="/usr/local/bin/command", no-port-forwarding ssh-rsa AAAA
Well there exists some other ssh facilities too which can be used to suppress by adding any of the following options to the options section -
In an environment where passphraseless access is a must and where entirely automated remote connections keeps on flowing , it is generally a good idea to apply these options unless they actually needs one of these facilities.