Sometimes we need to use ssh secured connections to perform only a few system activities and not to actually open a command shell to the remote host.
When performing secure critical tasks, or accessing highly secured machines, accessing a full remote shell can be equal to open a breach.
E.g., backup tasks are usually performed by a specific system user, granting access using ssh; allowing a restricted set of commands for the backup user introduce some additional security, avoiding system-wide access.
Adding some configuration to
~user/.ssh/authorized_keys on the remote host can be a quick solution:
from="accessing_host.example.com",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="echo 'I can only print this useless message...damn'" ssh-rsa AAA...
fromoption enables accessing from the specified host only
no-port-forwarding,no-X11-forwarding,no-agent-forwardingdisable forwardingÂ capabilities from remote host
commandoption defines which command the connecting user can issue to the remote host. ALL other commands are ignored
command option can also include a script containing different shell commands to accomplish complex tasks.