[SOLVED] ssh authorized_keys command= does not work

ario · 01-29-2024, 08:12 AM

Hi Folks,
On the internet there are numerous articles and forums topics talking about adding a line like:

Code:

command="/usr/bin/ls" <ssh-key-here>

To the file:

Code:

$HOME/.ssh/authorized_keys

And it will supposedly limit the command that the user can run.
Well it didn't!
So I can ssh from my client to the server when my authorized_keys file is like:

Code:

<ssh-key-here>

And cannot login when it is like:

Code:

command="/usr/bin/ls" <ssh-key-here>

The error is:

Code:

server.address.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Notice that the whole stack of network, operating system, ssh, configuration, keys, permission, etc works properly, UNTIL I add the command= to the beginning of the line. Then it does not work.
Please help. Thanks in advance.

Turbocapitalist · 01-29-2024, 08:30 AM

Something is obviously wrong with how you are prepending the command="..." part. For example, you might have copy-pasted smart quotes from a tutorial or guide instead of using proper ASCII quotes.

But it is hard to guess without more information. Do you have access to the server such that you can read the logs made by sshd? Or, better yet, can you temporarily run a more verbose instance and capture the results to a file as you try connecting with the defective authorized_keys file? e.g.

Code:

/usr/sbin/sshd -p 2022 -d -d -E /tmp/ssh.log

Then connect to the server on port 2022 instead of port 22 as you get the error. Then check the file /tmp/ssh.log on the server for clues. It should say something about error.

michaelk · 01-29-2024, 09:25 AM

How did you edit the file? Are the authorized_keys file permissions still -rw------ and owned by your user?

ario · 01-29-2024, 02:25 PM

Quote:

Originally Posted by michaelk

How did you edit the file? Are the authorized_keys file permissions still -rw------ and owned by your user?

Thanks for the reply.
The file permissions are correct. Because when I remove the command= part from the beginning, everything works. So any other ideas?

ario · 01-29-2024, 02:36 PM

Quote:

Originally Posted by Turbocapitalist

Something is obviously wrong with how you are prepending the command="..." part. For example, you might have copy-pasted smart quotes from a tutorial or guide instead of using proper ASCII quotes.

But it is hard to guess without more information. Do you have access to the server such that you can read the logs made by sshd? Or, better yet, can you temporarily run a more verbose instance and capture the results to a file as you try connecting with the defective authorized_keys file? e.g.

Code:

/usr/sbin/sshd -p 2022 -d -d -E /tmp/ssh.log

Then connect to the server on port 2022 instead of port 22 as you get the error. Then check the file /tmp/ssh.log on the server for clues. It should say something about error.

Thanks man. Now I can see some logs:

Code:

Bad options in /home/ec2-user/.ssh/authorized_keys file, line 3: command=ls

So seeing that log output, below combination finally worked:

Code:

command="/usr/bin/echo 'No commands allowed'" <ssh key here>

Thanks for all replies.