How safe is it to protect an ssh key without passphrase using the "command" option in the authorized_keys file?

Actually, gitolite use the same method to authenticate the user (identify the user base on the SSH key used) and restrict what the user could run (effectively only the command which starts gitolite).

gitolite is used by kernel.org for access control their git repo, so I think that method should be quite reliable.1


It depends on the security of the wrapper script and the allowed commands.

The wrapper script needs to guard against attempts to run multiple commands (e.g. allowed-command blah; other-command) or abuse PATH differences. I would probably write the script to call allowed commands with their full path, and use exec to prevent further interpretation of the client provided command:

set -- $SSH_ORIGINAL_COMMAND
case "$SSH_ORIGINAL_COMMAND" in
    rsync\ --server*)
        shift 2;
        exec /usr/bin/rsync --server "$@"
        ;;

You also need to ensure that the allowed commands don't have a mechanism to execute other commands. For example, rsync -e "other-command" would make rsync execute a different command. (--server should prevent this in the above script however.)