As I understand currently there is no way in sshd_config to match based on the client public key so different configuration for the same username can be applied depending on the key, right? My case is a backup login that needs to run as a root to access all the files and where I want to use ForceCommand to allow the login only to execute a particular command and yet still allow normal root logins. As a workaround currently I have a dummy account with ForceCommand that executes a setuid wrapper for the backup where the wrapper can only run from that account. It works, but it would be nice to avoid this error-prone extra-account+setuid combination and allow in sshd_config either to match based on public keys or to support custom mapping of ssh accounts into system ones.
Hi, On Tue, Feb 17, 2015 at 07:51:27AM +0100, Igor Bukanov wrote:> My case is a backup login that needs to run as a root to access all > the files and where I want to use ForceCommand to allow the login only > to execute a particular command and yet still allow normal root > logins.You can put command="..." in $HOME/.ssh/authorized_keys gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
Thanks, I missed that authorized_keys can contain all the configuration I need. On 17 February 2015 at 10:01, Gert Doering <gert at greenie.muc.de> wrote:> Hi, > > On Tue, Feb 17, 2015 at 07:51:27AM +0100, Igor Bukanov wrote: >> My case is a backup login that needs to run as a root to access all >> the files and where I want to use ForceCommand to allow the login only >> to execute a particular command and yet still allow normal root >> logins. > > You can put command="..." in $HOME/.ssh/authorized_keys > > gert > -- > USENET is *not* the non-clickable part of WWW! > //www.muc.de/~gert/ > Gert Doering - Munich, Germany gert at greenie.muc.de > fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de