Openssh authorized key commands

I didn’t know about this and it’s quite useful. In Openssh you can specify the command to run when a given key connects. In effect this allows you to treat ssh keys as capability tokens. You can gin up a key pair, and then configure things so that key is useful for one and only one operation; say retrieving a log file or polling a remote system.  If you leave don’t bother with giving the key a pass phrase (you could also configure your ssh-agents just right) the client machine can use the capability in scripts as it pleases. The details for how to set up the authorized_key file to do this are in the ssh manual.

For example here is how you might create way to ask a machine what it’s uptime is.  First we create a ssh key pair to use.

ssh-keygen -t dsa -f /tmp/uptime_id -C ‘for uptime queries’ -N ”

The -N ” results in an empty pass phrase.  I like to add a comment stating what this key’s purpose is.  No doubt you’d probably want to save it someplace more useful than /tmp.

That results in two file, for the private/public parts.  We want to add the /tmp/ into the ~/.ssh/authorized_keys of our target machine (call it as so:

command=”/usr/bin/uptime” ssh-dss AA … ucP0NNHm+w== for uptime queries

except of course the ” … ” in that example should be the entire public key.  Take careful not to remove your other entries in your user’s’s .ssh/authorized_keys.

Now your all set.  Just do:

$ ssh -q -o ‘ControlMaster no’ -i /tmp/uptime_id
11:00  up 6 days, 18:37, 3 users, load averages: 0.66 0.41 0.39

The “-q” quiets ssh’s verbosity; and the “-i /tmp/uptime_id”.  The -o to disable ControlMaster avoids the risk that you may already have a connection and ssh will try to share it.

Meanwhile on the client side you might create a pseudo-host in your .ssh/config file.  Wire up just right you can say ssh fetch-log-from-foo.  In the ssh-config manual there is additional useful doc for. IdentitiesOnly helps keep a stray ssh-agent from blessing things with a more capable  identity.  You should disable the ControlMaster.

Leave a Reply

Your email address will not be published. Required fields are marked *