Linux – Using command in ssh authorized_keys breaks scp

authenticationlinuxscpssh

I would like to use command per key in authorized_keys to set some environment variables.

command="MYVAR=test $SHELL" ssh-rsa mykey

Shell works fine but scp is not working.

What would be the correct way to set environment variables per key and not break ssh file transfers?

Best Answer

Your configuration forces ssh to run whatever command is in $SHELL whenever you connect with the matching private key. This is fine if what you want is an interactive shell, but will break any attempt at running a command directly. This breaks `scp as you've seen, but will also break things like:

ssh myhost uptime

The solution is to either (a) set your environment variables somewhere else (.ssh/rc, or just use your standard shell initialization files), or (b) use a dedicated key when you want to force a command via your authorized_keys file.

Related Solutions

Can Malicious User Bypass SSH Authorized_Keys Forced Command?

If the allowed command set includes the sftp daemon (or internal-sftp), then SFTP would be allowed. However, if you're setting the forced command in the authorized_keys file and the user had sftp access, without additional work they could replace the file with one not restricted to what you define. This would of course work with any application that the user can instruct to modify that file (intentionally or by tricking it). A better option may be to restrict by user or group within the main sshd_config, possibly with ChrootDirectory.

Linux SCP – Can SCP Copy Directories Recursively?

Yup, use -r:

scp -rp sourcedirectory user@dest:/path

-r means recursive
-p preserves modification times, access times, and modes from the original file.

Note: This creates the sourcedirectory inside /path thus the files will be in /path/sourcedirectory

Best Answer

Related Solutions

Can Malicious User Bypass SSH Authorized_Keys Forced Command?

Linux SCP – Can SCP Copy Directories Recursively?

Related Topic