Configuring authorized keys file for public key based access
<yambe:breadcrumb>OpenSSH_server_configuration|OpenSSH</yambe:breadcrumb>
Configuring authorized keys file for public key based access
It is possible to establish trusted SSH connection between two computers based on public/private key pair and authorized_keys configuration file. In case the connection would be established manually and not using some script use of passphrase to protect keys as explained at Passphrase for ssh-keys is recommended.
Basic authorized_keys configuration
To create ssh public/private key pair use:
ssh-keygen
command which would generate appropriate keys and place them in ~/.ssh folder automatically.
Now to allow password-less access from current machine to a remote machine copy ~/.ssh/id_rsa.pub file to remote machine at ~/.ssh/authorized_keys location. The authorized_keys file can have multiple public keys in separate lines. The permissions on authorized_keys file should be 600.
Restricting use of keys from specific hosts
One can restrict use of given public key from specific host by preceding the public key in authorized_keys file with 'from="<host>"' option where <host> definition can use wildcards '*' and '?'. Example specifications are:
from="10.4.15.6" <public-key> <comment> from="10.4.15.*" <public-key> <comment>
Restricting use of commands by authorized_keys
To restrict use of authorized_keys so that they can only be used only for specific command use:
command="<forced-command>"
Note that in this case the forced-command will be executed even if the ssh-client requested for execution of some other command.
Combining multiple options
To specify more than one option such as both 'from' and 'command', the options can be specified one after other separated by comma(,) without leaving space anywhere in the entire option string. Example configuration that restricts use of particular key to 'ls' command from IP 10.4.15.6 is:
from="10.4.15.6",command="ls" <public-key> <public-key-comment>
Restricting ssh facilities
Various ssh-facilities can be restricted by use of other options such as:
- no-port-forwarding
- To disable port forwarding
- no-X11-forwarding
- To disabler X11 forwarding
- no-agent-forwarding
- To disable agent forwarding so that one can use ssh-agent to forward connections to other trusted computers using agent. Refer to http://www.unixwiz.net/techtips/ssh-agent-forwarding.html to understand agent forwarding properly.
- no-pty
- To disable allocation of pty using given key
Information learned from http://www.eng.cam.ac.uk/help/jpmg/ssh/authorized_keys_howto.html
<yambe:breadcrumb>OpenSSH_server_configuration|OpenSSH</yambe:breadcrumb>