{"id":209,"date":"2005-09-05T07:54:57","date_gmt":"2005-09-05T12:54:57","guid":{"rendered":"https:\/\/www.suramya.com\/blog\/2005\/09\/05\/restricting-ssh-to-allow-users-to-only-run-allowed-commands\/"},"modified":"2022-06-16T15:17:55","modified_gmt":"2022-06-16T09:47:55","slug":"restricting-ssh-to-allow-users-to-only-run-allowed-commands","status":"publish","type":"post","link":"https:\/\/www.suramya.com\/blog\/2005\/09\/restricting-ssh-to-allow-users-to-only-run-allowed-commands\/","title":{"rendered":"Restricting SSH to allow users to only run allowed commands"},"content":{"rendered":"\n

To restrict access to a server by allowing an authorized user to only run a specific command add an authorized_keys file entry that looks like (this is all in one line one line)<\/p>\n

from=”202.41.95.13″,command=”rsync -aCz –server –sender $SRCDIR .”,
\nno-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
\nssh-dss
\nAAAAB3NzaC1kc3M<\/p>\n

Here you must put the appropriate source directory in $SRCDIR.<\/p>\n

The authorized key file can be put in a dummy users directory. This dummy user should have appropriate read\/write permissions for the directory in question.<\/p>\n

As an alternative you can use a configuration file “–config=$FILE” in place of $SRCDIR.<\/p>\n

Once this is done, the owner of the SSH private key associated with the public-key (which is the bit that starts ssh-dss AAA….) can connect to the ssh server and start the above command and *only* the above command.<\/p>\n

– Suramya<\/p>\n

PS: Thanks to Kapil from the Linux Gazette Answer Gang for the above tip.<\/p>\n","protected":false},"excerpt":{"rendered":"

To restrict access to a server by allowing an authorized user to only run a specific command add an authorized_keys file entry that looks like (this is all in one line one line) from=”202.41.95.13″,command=”rsync -aCz –server –sender $SRCDIR .”, no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-dss AAAAB3NzaC1kc3M Here you must put the appropriate source directory in $SRCDIR. The authorized key […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":""},"categories":[19,17,2],"tags":[],"class_list":["post-209","post","type-post","status-publish","format-standard","hentry","category-computer-security","category-security-tutorials","category-techie-stuff"],"_links":{"self":[{"href":"https:\/\/www.suramya.com\/blog\/wp-json\/wp\/v2\/posts\/209","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.suramya.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.suramya.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.suramya.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.suramya.com\/blog\/wp-json\/wp\/v2\/comments?post=209"}],"version-history":[{"count":1,"href":"https:\/\/www.suramya.com\/blog\/wp-json\/wp\/v2\/posts\/209\/revisions"}],"predecessor-version":[{"id":5026,"href":"https:\/\/www.suramya.com\/blog\/wp-json\/wp\/v2\/posts\/209\/revisions\/5026"}],"wp:attachment":[{"href":"https:\/\/www.suramya.com\/blog\/wp-json\/wp\/v2\/media?parent=209"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.suramya.com\/blog\/wp-json\/wp\/v2\/categories?post=209"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.suramya.com\/blog\/wp-json\/wp\/v2\/tags?post=209"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}