How safe is it to protect an ssh key without passphrase using the "command" option in the authorized_keys file?

ssh security

Actually, gitolite use the same method to authenticate the user (identify the user base on the SSH key used) and restrict what the user could run (effectively only the command which starts gitolite).

gitolite is used by kernel.org for access control their git repo, so I think that method should be quite reliable.1


It depends on the security of the wrapper script and the allowed commands.

The wrapper script needs to guard against attempts to run multiple commands (e.g. allowed-command blah; other-command) or abuse PATH differences. I would probably write the script to call allowed commands with their full path, and use exec to prevent further interpretation of the client provided command:

set -- $SSH_ORIGINAL_COMMAND
case "$SSH_ORIGINAL_COMMAND" in
    rsync\ --server*)
        shift 2;
        exec /usr/bin/rsync --server "$@"
        ;;

You also need to ensure that the allowed commands don't have a mechanism to execute other commands. For example, rsync -e "other-command" would make rsync execute a different command. (--server should prevent this in the above script however.)

Related

Why does Remove-ADGroupMember default to requiring confirmation?
Windows 2012 hyper-v saying degraded (integration services upgrade required) on Ubuntu 12.04
Why are DNS lookups not respecting /etc/nsswitch.conf & /etc/host.conf?
Confirm disk is broken when it passes all diagnostics
Is there ever a reason to use tmpfs instead of or in addition to zRAM?
Is this a sign of dying hard drive?
Nginx + WordPress : 414 Request-URI Too Long
KVM: Run a script when a guest is shutdown from within?
Trouble compiling modern GCC with antique glibc
HTTP reverse proxy redirect internally
strongswan: entirely virtual subnet [closed]
Infiniband port status UP but can't open UMAD port ((null):0)