The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Newer Topic  |  Older Topic 
 restricting commands
Author: Julian King 
Date:   11-02-02 13:51

Observation, you don't talk about using 'command=/path/to/command'
in your authorized_keys file. This is a useful addition to the
security of any key in that you can restrict what the key
can do.

Note however that you have to be careful to write secure
commands for it to use - there is little point writing a shell
script which just allows you to pass the -i flag, for example.



Reply To This Message
 Re: restricting commands
Author: Dan Langille 
Date:   11-02-02 15:04

well, umm, you didn't talk about it either... ;)

What does 'command=/path/to/command' do?

What about the -i command?

Good points (I think) but more information please.

Reply To This Message
 Re: restricting commands
Author: Francis Vidal 
Date:   12-06-02 07:52

I think putting a command limit is a good practice if you don't use any password for the SSH key. For simple copying commands, you can probably use "command=/bin/false". I also found a tool called 'keychain' made by a guy from GenToo Linux <URL:>.

From the project website "...The keychain bash script makes handling RSA and DSA keys both convenient and secure. It acts as a front-end to ssh-agent, allowing you to easily have one long-running ssh-agent process per system, rather than per login session. This dramatically reduces the number of times you need to enter your passphrase from once per new login session to once every time your local machine is rebooted." <URL:>

Reply To This Message
 Forum List  |  Threaded View   Newer Topic  |  Older Topic 

 User Login
 User Name:
 Remember my login:
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum