Ssh – How safe is it to protect an ssh key without passphrase using the “command” option in the authorized_keys file

Securityssh

There are times where using ssh keys with empty passphrase is highly
desirable (backups, …). The well-known problem is that such keys are
safe only to the point they are kept from untrusted hands.

Yet, in the case they would be compromised, those keys may be further
protected from doing too much harm by prepending some options to them in the
server authorized_keys file, e.g.:

command="/usr/bin/foo",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa AAA.....

Theoretically, this key could only be used to run command /usr/bin/foo
on the server. A new problem arises then since one would need a special
dedicated key for every command.

For this reason, a more elaborated variant may be found on the internet (e.g. on this very same site : sshd_config versus authorized_keys command parameter)
that consists of installing a generic key restricted to a locally
crafted script that would make use of the SSH_ORIGINAL_COMMAND environment
variable set by ssh.

The (restricted) key blurb in authorized_keys would then look like :

command="/usr/local/bin/myssh",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa AAA.....

and the myssh script would look like :

#!/bin/sh
msg="Command not allowed with this key"
case "$SSH_ORIGINAL_COMMAND" in
  *\&*)
      echo $msg
      ;;
  *\(*)
      echo $msg
      ;;
  *\{*)
      echo $msg
      ;;
  *\;*)
      echo $msg
      ;;
  *\<*)
      echo $msg
      ;;
  *\`*)
      echo $msg
      ;;
  *\|*)
      echo $msg
      ;;
  rsync\ --server*)
      # optionnally check for extra arguments
      # ....
      # then
      $SSH_ORIGINAL_COMMAND
      ;;
  some-local-script*)
      # optionnally check for extra arguments
      # ....
      # then
      $SSH_ORIGINAL_COMMAND
      ;;
  *)
      echo $msg
      ;;
esac

My one and only question is : can one be sure that such a protected key
could not used to escape out of its cage ?

Thanks in advance !

Best Answer

Actually, gitolite use the same method to authenticate the user (identify the user base on the SSH key used) and restrict what the user could run (effectively only the command which starts gitolite).

gitolite is used by kernel.org for access control their git repo, so I think that method should be quite reliable.1

Related Topic