I didn’t know about this and it’s quite useful. In Openssh you can specify the command to run when a given key connects. In effect this allows you to treat ssh keys as capability tokens. You can gin up a key pair, and then configure things so that key is useful for one and only one operation; say retrieving a log file or polling a remote system. If you leave don’t bother with giving the key a pass phrase (you could also configure your ssh-agents just right) the client machine can use the capability in scripts as it pleases. The details for how to set up the authorized_key file to do this are in the ssh manual.
For example here is how you might create way to ask a machine what it’s uptime is. First we create a ssh key pair to use.
ssh-keygen -t dsa -f /tmp/uptime_id -C ‘for uptime queries’ -N ”
The -N ” results in an empty pass phrase. I like to add a comment stating what this key’s purpose is. No doubt you’d probably want to save it someplace more useful than /tmp.
That results in two file, for the private/public parts. We want to add the /tmp/uptime_id.pub into the ~/.ssh/authorized_keys of our target machine (call it target.example.com) as so:
command=”/usr/bin/uptime” ssh-dss AA … ucP0NNHm+w== for uptime queries
except of course the ” … ” in that example should be the entire public key. Take careful not to remove your other entries in your user’s target.example.com’s .ssh/authorized_keys.
Now your all set. Just do:
$ ssh -q -o ‘ControlMaster no’ -i /tmp/uptime_id target.example.com
11:00 up 6 days, 18:37, 3 users, load averages: 0.66 0.41 0.39
The “-q” quiets ssh’s verbosity; and the “-i /tmp/uptime_id”. The -o to disable ControlMaster avoids the risk that you may already have a connection and ssh will try to share it.
Meanwhile on the client side you might create a pseudo-host in your .ssh/config file. Wire up just right you can say
ssh fetch-log-from-foo. In the ssh-config manual there is additional useful doc for. IdentitiesOnly helps keep a stray ssh-agent from blessing things with a more capable identity. You should disable the ControlMaster.