Potentially Useful SSH options

  1. 'from=“10.1.1.1”' ( This can be specified within the authorized keys file prior to the command=“” option )
  2. 'SSH Wrapper' 'Another Link' 'Yet another link' 'and another (quite good tips - some listed below - separate with ',' )' 'and another
  3. '“PermitRootLogin forced-commands-only” in your /etc/ssh/sshd_config'
  4. 'no-port-forwarding'
  5. 'no-X11-forwarding'
  6. 'no-agent-forwarding'
  7. 'no-pty'
  8. 'authprogs' (this is a program rather than an argument to link with a key) - this site no longer hoses it but this one has a copy?'
  9. 'How dervish dose this'

Determining The Command being run for inclusion in an ssh allow command

“To get the proper command to put in your command=”” statement, run your rsync command with an unrestricted SSH key first (i.e. just copy the id_rsa.pub to authorized_keys2). When you run the rsync command on your Mac, do a ps auxw | grep rsync on the server machine. The command that you see listed is the command that goes in the key.“ Quoted from a great article about setting up Rsync wrapper.

Possible Wrapper Scripts

Example 1

Link to Source Copyright © 2004, 2005 by Barry O'Donovan. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v3.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/). 

#!/bin/sh

case "$SSH_ORIGINAL_COMMAND" in
    *\&* | *\;* | *\|*)
        echo "Access denied"
        ;;
    rsync\ --server*)
        $SSH_ORIGINAL_COMMAND
        ;;
    *)
        echo "Access denied"
        ;;
esac

Example 2

Link to Source Copyright 2003-2008 Troy Johnson. Released under the terms of the GNU GPL. 

#!/bin/sh 

case "$SSH_ORIGINAL_COMMAND" in 
*\&*) 
echo "Rejected" 
;; 
*\(*) 
echo "Rejected" 
;; 
*\{*) 
echo "Rejected" 
;; 
*\;*) 
echo "Rejected" 
;; 
*\<*) 
echo "Rejected" 
;; 
*\`*) 
echo "Rejected" 
;; 
rsync\ --server*) 
$SSH_ORIGINAL_COMMAND 
;; 
*) 
echo "Rejected" 
;; 
esac