====== SSH Commands einschränken via Keyfile-Auth ====== SSH bietet in den authorized_keys meherere Optionen. Unter anderem ein einschränken der Kommandos. Siehe entsprechende Doku: AUTHORIZED_KEYS FILE FORMAT AuthorizedKeysFile specifies the files containing public keys for public key authentication; if this option is not specified, the default is ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2. Each line of the file contains one key (empty lines and lines starting with a ‘#’ are ignored as comments). (...) command="command" Specifies that the command is executed whenever this key is used for authentication. The command supplied by the user (if any) is ignored. The command is run on a pty if the client requests a pty; otherwise it is run without a tty. If an 8-bit clean channel is required, one must not request a pty or should specify no-pty. A quote may be included in the command by quoting it with a backslash. (...) from="pattern-list" Specifies that in addition to public key authentication, either the canonical name of the remote host or its IP address must be present in the comma-separated list of patterns. See PATTERNS in ssh_config(5) for more information on patterns. (...) no-port-forwarding Forbids TCP forwarding when this key is used for authentication. Any port forward requests by the client will return an error. This might be used, e.g. in connection with the command option. no-X11-forwarding Forbids X11 forwarding when this key is used for authentication. Any X11 forward requests by the client will return an error. (...) restrict Enable all restrictions, i.e. disable port, agent and X11 forwarding, as well as disabling PTY allocation and execution of ~/.ssh/rc. If any future restriction capabilities are added to authorized_keys files they will be included in this set. ===== Beispiele ===== ==== Rsync ==== * Rsync wie z.B. "rsync -a /local-folder user@remote-host:/remote-folder" benötigt kein SFTP sondern "rsync --server" dass es via SSH aufruft auf der Gegenseite * Möchte man ein sicheres Backup ohne Zugriffsmöglichkeiten auf den "remote-host", kann man die Commands einschränken * Ausgeführtes Command kann herausgefunden werden via "rsync -ae 'ssh -v' /local-folder user@remote-host:/remote-folder" * "debug: Sending command: rsync --server ...." ist das kommando dass erlaubt werden muss === Beispiel === from="192.168.0.1",command="rsync --server ....",restrict ssh-rsa AA10923809218309...