Kick-arse SSH authorised_keys tricks

Dec 5 2008

SSH is awesome. Not only is it a package of a secure remote shell, secure remote copying and secure FTP-ing, there are a whole bunch of extra features hidden away that allow you to do lots of cool things, like key-based authentication.

Now, key-based authentication has some pretty cool extra features as well. By using some of the options it provides, you can make your own authentication scheme and restricted shell on top of a single user. What that means is that several people can log into the same user, but depending on their keys, you can give them different permissions to do different things or no any number of cool things based entirely on the unique identity given to them by the key they are logging in with.

It’s this way that gitosis, a git repository management system works, and probably how gitorius and github work too.

Here is a simple example (DISCLAIMER – no idea if this exact code actually works, writing stuff made up from memory here, but you should get the idea):


# on local machine
ssh-keygen -t rsa
# copy the id_rsa.pub to the remote machine

# on remote machine as user 'test'
cat id_rsa >> ~/.ssh/authorized_keys
# now edit the authorized_keys file to be something like...
command="echo The command you would have run was: $SSH_ORIGINAL_COMMAND" ssh-rsa your_key_here

# now, on the local machine
ssh test@remote a_command_to_run
# should return The command you would have run was: a_command_to_run

And you can provide different commands for different keys. What you can do is write a more complicated script to run as the command and give it arguments to identify the key that is running it for example. That script can then look at the original command request and do all sorts of things, like check a database to see if this particular key is authorised to run that command with those arguments or any number of things.

At the office, we’ve written a simple git repository authentication system where we can all login as the same user, but a script will authenticate us against a configuration file to work out whether we have read and/or write permissions against whatever repo we are trying to access. It’s awesome and there is so much more you can do with it.

Found this interesting? Share it:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • DZone
  • Furl
  • Ma.gnolia
  • NewsVine
  • Reddit
  • TwitThis
UncategorizedSubscribe to Feed

Leave a Reply