Configuring the OpenSSH Server For User Access
User specific configuration on the server side of a connection is in the
$HOME/.ssh directory and contains the following files:
-
authorized_keysContains the authorized public keys for a user. The server uses the signed public key in this file to authenticate a client.
-
environmentContains definitions of environment variables. This file is optional.
-
rcContains commands that ssh runs when a user logs in, before the user’s shell or command runs. This file is optional.
For more information, see the ssh(1) and ssh_config(5) manual pages.
Related Topics
Restricting SSH Key Access to Specific Commands
You can add user specific configurations on the server side of a connection by editing the
$HOME/.ssh/authorized_key file. In addition to listing SSH keys with which
a user can authenticate, you can optionally impose further restrictions on what that user can
do with each of those keys.
For example, with the command option, you can specify a single command to
configure all connections made with one key, after which the command immediately ends.
command=command ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6OabJhWABsZ4F3mcjEPT3sxnXx1OoUcvuCiM6fg5s...By using the command option, security conscious users can restrict system
accesses available to a particular key that might be used for a scripted
action and which might not be passphrase protected.
You can also ensure that the key is only accepted if the inbound connection originates from
the internal network by using the from option to set an
authorized range of IPv4 addresses. For example, to prevent any IP addresses
from outside the 192.0.2.0/24 range from connecting with an SSH key, you
would append the following line to the
$HOME/.ssh/authorized_key file with the correct
key value:
from=192.0.2.0/24 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6OabJhWABsZ4F3mcjEPT3sxnXx1OoUcvuCiM6fg5s...For more information, see the sshd(8) manual pages.