Openssh authorized key commands
I didn’t know about this and it’s quite useful. In Openssh you can specify the command to run when a given key connects. In effect this allows you to treat ssh keys as capability tokens. You can gin up a key pair, and then configure things so that key is useful for one and only one operation; say retrieving a log file or polling a remote system. If you leave don’t bother with giving the key a pass phrase (you could also configure your ssh-agents just right) the client machine can use the capability in scripts as it pleases. The details for how to set up the authorized_key file to do this are in the ssh manual. Meanwhile on the client side it helps to setup a pseudo host in your .ssh/config file. Wire up just right you can say ssh fetch-log-from-foo. In the ssh-config manual there is additional useful doc for. IdentitiesOnly helps keep a stray ssh-agent from blessing things with a more capable identity. You should disable the ControlMaster, setting that to no.