Pretty much every day I learn something... Today it will be the fact that you can enter variables in front of a key that will request the SSH deamon to verify a certain number of facts in regard to the connection being made.

For instance, it can automatically test that the IP address of the person connecting is a specific IP (if you have a static IP address, very practical!)

You can even run a shell command line. That can be used to verify what is going to be executed on your system. For instance, you may only allow rsync to work (which is generally what I do) and that the command line is correct (does not include characters that you would not expect like a pipe, an asterisk, etc.)

I'm wondering where the documentation of those variables is... I'll add a link here once I find it.

The two options that I just mentioned work as described below.

Source IP

  from="192.168.1.1"

Say your IP address is 192.168.1.1, then on your server public key, you add from="192.168.1.1". Only that one address will be able to connect using the private key. So even if a hacker gets your private key, they would still need to connect from your computer to be able to access your server (although I guess they could try by faking the IP address...)

One can use patterns to ease the acceptance of many different IP addresses. The asterisk (*) represents 0 or more characters and the question mark (?) represent any one character. So to accept connections on any address in the class B you would write:

  from="192.168.*"

You can also enter multiple patterns separated by commas as in:

  from="192.168.1.*,192.168.2.*"

which accepts all class C addresses in 192.168.1 and 192.168.2.

Command Line

  command="/home/me/bin/command"

The command to be executed. You most certainly want to use a full path to make 100% sure that it is the right command that gets executed since the environment variables may not be what you'd otherwise expect.

The command can be anything you want and generally it will be a shell script that verifies that the remote command request is what you'd expect for the key being used.

To check the command, you can use the "$SSH_ORIGINAL_COMMAND" variable. For security reasons, you must always put it between quotes since it is likely to include spaces.

To reject a command, echo "Rejected". It will prevent the command from being executed. To execute the command, use $SSH_ORIGINAL_COMMAND by itself on a line of the script.

To test for rsync, you should verify that it is calling rsync --server. If possible, include the full path to your rsync binary.

Resulting authorize_keys

  from="192.168.1.1",command="/home/me/bin/command" ssh-dss AAAAB[...]IA= me@domain

As you can see, different parameters are separated by commas. The last one is followed by a space and the public key information as you'd expect (I snipped that key for clarity, it should be a lot longer.)

Source

I have found that information on Troy Johnson website.

Complementary Documentation

The complete documentation can be found in the manual page named authorized_keys. Try this:

   man authorized_keys

And, no, it never came to my mind that could be useful! The variables are quite far from the beginning... search for AUTHORIZED_KEYS FILE FORMAT to find the info I talk about here.

There are other features that one can use to tighten the security of a public key such as preventing an ssh -L (forwarding features.)

Enjoy!