Using SSH_ORIGINAL_COMMAND in AuthorizedKeys is so helpful, I'd like to know how to access it in the AuthorizedKeysCommand context (via env ?). Is this possible ? can anybody give me advice on going into this ?
If possible, I'll use this SSH_ORIGINAL_COMMAND to send client specifics information to the AuthorizedKeysCommand script. Currently, the only alternative to this is to use the login itself (we have around 30k+ different 'hosts' that might want to connect to our servers) to identify the client, but that come with the need of a custom nss endpoint configuration (we use libnss-pgsql2 ) to support dynamic user lookup, and more work (to manage uid & co)
Using 'one' standard user file was enough (and a lot simplier), as those hosts don’t need to do anything but to setup a revert port forwarding rule, and are bound to a very limited shell.
My (now useless) /home/host_controler/.ssh/authorized_keys file (build on a cron run) was like :
command="limited_shell.sh –host_id=XXX1 $SSH_ORIGINAL_COMMAND" ssh-rsa pubkey of host 1"
command="limited_shell.sh –host_id=XXX2 $SSH_ORIGINAL_COMMAND" ssh-rsa pubkey of host 2"
command="limited_shell.sh –host_id=XXX3 $SSH_ORIGINAL_COMMAND" ssh-rsa pubkey of host 3"
…
Thank you very much for your help !
Best Answer
You need to put the case switching into your limited_shell.sh or write another wrapper. There may be possibilities to put your specific config needs into the central ssh_config, but I have never done that, so can't help further.