Ssh – commands in authorized_keys

command-line-interfacesshssh-keys

I've created an SSH non root/non super user with an authorized_key to remotely login to my server and shut it down however, i'm trying to do this from within the authorized_key file by using the command="" syntax

I have the following in the authorized_keys file

command="shutdown -p now",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa

However when trying to execute the ssh login, while the user is able to login….the command doesn't seem to be executed.

What is the correct syntax for commands when being used in the authorized_keys?

how does no-port-forwarding,no-x11-forwarding,…etc affect the user's ability to login with the command remotely?

the command

/usr/bin/ssh -2 -i /path/to/.ssh/rsa -p 22 -vvv -l user xxx.xxx.0.25

debug information

debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp 
// REMOVED
debug3: sign_and_send_pubkey: RSA 
// REMOVED
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Saving password to keychain failed
debug3: Incorrect RSA1 identifier
debug1: read PEM private key done: type RSA
Identity added: /.... //removed
(/.../.ssh/shutdown_rsa) // removed 
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to xxx.xxx.0.25 ([xxx.xxx.0.25]:22). //removed
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug3: Ignored env TERM_PROGRAM
debug3: Ignored env SHELL
debug3: Ignored env TERM
debug3: Ignored env TMPDIR
debug3: Ignored env Apple_PubSub_Socket_Render
debug3: Ignored env TERM_PROGRAM_VERSION
debug3: Ignored env TERM_SESSION_ID
debug3: Ignored env USER
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env __CF_USER_TEXT_ENCODING
debug3: Ignored env PATH
debug3: Ignored env PWD
debug3: Ignored env XPC_FLAGS
debug3: Ignored env XPC_SERVICE_NAME
debug3: Ignored env SHLVL
debug3: Ignored env HOME
debug3: Ignored env LOGNAME
debug1: Sending env LC_CTYPE = UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env DISPLAY
debug3: Ignored env SECURITYSESSIONID
debug3: Ignored env _
debug2: channel 0: request shell confirm 1
debug2: callback done

Best Answer

Directive "command" in autorhized_keys DOES NOT executes specified command it only allows user to run this particular command remontly using this key.

Related Solutions

SSH – Hangs Without Password Prompt, Works in Root or Other Accounts

The reason your ssh client hangs for your account but not for other accounts (root) is probably because there is something wrong with your ssh-agent. Either that the ssh-agent is not running or that its configuration is wrong in some way.

To have a confirmation of that, you can try the following:

unset SSH_AUTH_SOCK
ssh mylogin@myremoteserver.com

If you're then asked to input the pass phrase to your ssh_key it means you have an issue with your ssh-agent.

See also my post on this related question.

Ssh-agent forwarding and sudo to another user

As you mentioned, the environment variables are removed by sudo, for security reasons.

But fortunately sudo is quite configurable: you can tell it precisely which environment variables you want to keep thanks to the env_keep configuration option in /etc/sudoers.

For agent forwarding, you need to keep the SSH_AUTH_SOCK environment variable. To do so, simply edit your /etc/sudoers configuration file (always using visudo) and set the env_keep option to the appropriate users. If you want this option to be set for all users, use the Defaults line like this:

Defaults    env_keep+=SSH_AUTH_SOCK

man sudoers for more details.

You should now be able to do something like this (provided user1's public key is present in ~/.ssh/authorized_keys in user1@serverA and user2@serverB, and serverA's /etc/sudoers file is setup as indicated above):

user1@mymachine> eval `ssh-agent`  # starts ssh-agent
user1@mymachine> ssh-add           # add user1's key to agent (requires pwd)
user1@mymachine> ssh -A serverA    # no pwd required + agent forwarding activated
user1@serverA> sudo su - user2     # sudo keeps agent forwarding active :-)
user2@serverA> ssh serverB         # goto user2@serverB w/o typing pwd again...
user2@serverB>                     # ...because forwarding still works

Best Answer

Related Solutions

SSH – Hangs Without Password Prompt, Works in Root or Other Accounts

Ssh-agent forwarding and sudo to another user

Related Topic