Looking for a way to restrict your SSH public key to a specific command?
Then this guide is for you.
Out of the many SSH protocol-supported authentication methods, public key authentication is one of the most secure. By taking advantage of cryptography, you’re decreasing the chance of any unauthorized access, which even strong passwords may fail to do.
This tutorial will show you how you can specify a single command or script to a public key so that the user logging in using that public key can only use that specific command.
Let’s dive in!
What You’ll Need
Before jumping into the guide, you should check whether you have everything in place to follow the tutorial. You’ll need:
- OpenSSH tool for remote login with the SSH protocol
- A terminal for issuing commands
- Access to the authorized_keys file (we’ll discuss this later)
- A text editor
Once you meet the requirements, you can continue to the steps below.
How to Bind SSH Public Key to a Specific Command: Step-by-Step
Step 1: Generate an SSH Key Pair on Your Local System
If you know the basics of the public key authentication method, you know that you need to have a pair of keys—a public key and a private key.
For that, you need to generate such keys. Think of these keys as long encrypted passwords. This private key is kept with the user only while the public key is sent to the remote server.
- To generate the key pair, run the below command:
ssh key-genIf the command runs successfully, you should see a prompt asking you to enter a file to save the key to, as seen in the below screenshot.
- Enter a file name in which you’d like to save the keys. The default location is /home/<user>/.ssh/id_rsa. You can either create a new file by entering the filename or press the Enter button to use the default file. This will lead you to the next prompt, to enter a passphrase.
- After entering a file or choosing the default one, you need to enter a passphrase. This passphrase will be used for authenticating each time you want to use the keys. Enter a secure passphrase. Then re-enter the passphrase for confirmation. Alternatively, you can press the Enter button to skip this step.
- After entering the passphrase twice (or skipping it), the keys will be generated. You will also see the output of where the keys are saved and a character art image for the key, as seen in the below screenshot:
- You can go through one last step to see whether the key generation was successful. To test if the keys are present in the specified directory, run this command:
ls -l ~/.ssh/Note: If you see an output showing two files in the directory, the keys are there. The id_rsa file is the private key, and the id_rsa.pub is the public key.
With that done, we can move to the next step and copy the public key we just created to the remote server.
Step 2: Copy the Public Key to the SSH Server
When you’ve finished generating the SSH key pair, it’s now time to copy the public key to the remote server’s authorized_keys file. This file contains all the authorized public keys from users who can log into the remote server.
- For copying the generated public key into the remote SSH server, we will use the ssh-copy-id command. The general syntax is as below:
ssh-copy-id -i <key location> username@hostnameSSH uses port number 22 by default. If you need to use a different port, then add that to the command like this:
ssh-copy-id -i <key location> -p <portnumber> username@hostnameSuppose we have a host with the IP address 10.0.2.4 and a user called kali. So in our case, the command will look like this:
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
- After copying the public key to your SSH server, you will be asked for confirmation as to whether you want to connect to the server. This will happen the first time you try to establish the connection. Type in yes and press the Enter button.
- Now you need to enter the password to your remote server. Correctly type in the password and press the Enter button again. This should successfully copy the public key to the authorized_keys file on your remote server. You should see the below output:
- If you’re finding this method difficult, you can also manually copy the public key content from your host machine to your server machine.
Now you’re finally ready to bind that public key to a specific command, which you will learn in the next step.
Step 3: Bind the Public Key to a Specific Command
In this step, we’ll bind that created public key to a single command or script.
- Open your remote SSH server.
- Locate the authorized_keys file in the ~/.ssh directory. Open the file in a text editor. We will use the Nano text editor for this. To open the file in the Nano editor, use this command:
sudo nano ~/.ssh/authorized_keys 
- At the very start of the key, we add another field known as the command field. We assign a value to this field. This value is in the form of the location of a command or a script. Look at the below examples for a better understanding:
command="/bin/ls"
command="/usr/local/bin/myscript"So the final format will look like this:
command=”/path/to/command” ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDW+qQqV2fG6eHFCJZJk9S7HvDZRP+9MwP1Y0VWklAOuRFcVyKoYHn6r5Ll9Q6zY3MS7g3dCI9X+5nRdZPL+EtFc9eRQyCO6wwzAgjFst8eTD8j4Eh5XOBuX/KwT03K7uO6x+ebfNcS5Rf0cA2ZZvSUh+2qD0l8HCO7rCVgdtxRvRAT1dPWV69p9L3bGt+EmTBi+q5S+bcJN1C1uhWDTpUSC1Znq9U3C4ZNXA2PQaaLlZzOL08mNfIXdQW5XFZuzDROv9DC4ly8AFstNdJyZBJ+Rw1SoxJ52Lh6My5UosE/Vn8X6JAMVUCiG0DE+Fd4j7tBtBjcT3XZo4EXAMPLE= zunaid@debian
Save the file by pressing Ctrl + O keys. Then exit the file by pressing the Ctrl + X keys. Now, if you try to log in to this remote server from your host system, you will see that specific command being executed every time.
Why Should You Bind SSH Public Key to Specific Commands?
By restricting the public key to a specific command, you are reducing the damage in the case of unauthorized access. Even if your key gets stolen, the attacker won’t be able to do anything severe from the limited scope.
Additionally, by following the least privilege principle, you ensure any user logging in can only use the commands they need to.
Conclusion
Congratulations, you’ve successfully bound your SSH public key to a specific command.
Should you encounter any issues whilst performing the steps above, repeat the steps and double-check the code you input for any potential typing errors.
If this guide helped you, please share it.
