Using ~/.ssh/authorized keys to decide what the incoming connection can do – Dan Langille's Other Diary

Delete Set public Set private Add tags Delete tags

19762 shaares
136 private links

19762 shaares · 136 private links

Filters

Links per page

20 50 100

Using ~/.ssh/authorized keys to decide what the incoming connection can do – Dan Langille's Other Diary

The following are lines from ~rsyncer/.ssh/authorized-keys on my dbclone host – which gathers database backups from various hosts.

from="x8dtu.example.org,10.1.1.1",command="/usr/local/sbin/rrsync -ro /usr/home/rsyncer/backups/bacula-database/postgresql/" ssh-ed25519
AAAAC3thisisalsonotmyrealpublickeybcxpFeUMAC2LOitdpRb9l0RoW7vt5hnzwt rsyncer@x8dtu.example.org

The above appears on two lines to make it easier to read without horizontal scrolling – in the file, it’s all on one line.

This says:

when an ssh connection comes in from a client at x8dtu.example.org, or 10.1.1.1
run /usr/local/sbin/rrsync -ro /usr/home/rsyncer/backups/bacula-database/postgresql/
and that client must have this key (as shown)
rsyncer@x8dtu.example.org is a comment, and has no effect

talk · commandline · linux

April 22, 2025 at 14:39:44 GMT+2 * · permalink

https://dan.langille.org/2025/04/17/using-ssh-authorized-keys-to-decide-what-the-incoming-connection-can-do/

Filters

Links per page

20 50 100