[clug] Starting k/ubuntu - Debian

Michael Cohen michael.cohen at netspeed.com.au
Tue May 15 01:08:00 GMT 2007

On Tue, May 15, 2007 at 10:50:18AM +1000, Andrew Janke wrote:
>   AllowUsers rotor
> will only allow me in.
>   AllowUsers rotor at some.address.com
> is even more restrictive.
> There is also an AllowGroups directive.
>   man sshd_config
> has lots and lots of things for the bored. :)

Cool, Thanks for that - I should rtfm one day :-)

> Of course if you want to get ridiculous you should also start adding
> things like this into your ssh keys in ~/.ssh/authorized_keys
>   from="hostname,hostname.fred.blogs.com" ssh-dss AAAA.......<lots of
>   characters that I am not copying... :)

This is very useful for controlling forced commands. For example I have a darcs
reposotory that I would like to give some people push access (to upload patches
etc). So I have something like this:

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="python ~/bin/darcs_wrapper.py" ssh-d
ss AAAAB....

Its important to remember to do all the no* stuff as well for that key. the
command darcs_wrapper controls what darcs can do (darcs uses sftp, and scp to
upload and merge patches on the repository). Regardless what darcs wants to do
the wrapper is executed and it decides if its ok or not. this way you can
restrict access to specific repos as well.

This is a very effective technique. I also used it for automated backup in the
past (where a backup agent needs to run as root automatically from a remote
machine from a cron job).


More information about the linux mailing list