Sometimes we need to use ssh secured connections to perform only a few system activities and not to actually open a command shell to the remote host.
When performing secure critical tasks, or accessing highly secured machines, accessing a full remote shell can be equal to open a breach.
E.g., backup tasks are usually performed by a specific system user, granting access using ssh; allowing a restricted set of commands for the backup user introduce some additional security, avoiding system-wide access.
Adding some configuration to ~user/.ssh/authorized_keys
on the remote host can be a quick solution:
from="accessing_host.example.com",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="echo 'I can only print this useless message...damn'" ssh-rsa AAA...
...
...Pw== user@accessing_host.example.com
Where:
from
option enables accessing from the specified host onlyno-port-forwarding,no-X11-forwarding,no-agent-forwarding
disable forwarding capabilities from remote hostcommand
option defines which command the connecting user can issue to the remote host. ALL other commands are ignored
command
option can also include a script containing different shell commands to accomplish complex tasks.