Friday Reminder: Web Site Security

Matt Palmer mpalmer at
Sat May 16 03:10:37 UTC 2020

On Fri, May 15, 2020 at 07:24:51PM -0400, Valdis Klētnieks wrote:
> And yes, I know that automated systems can't use passphrases.. so remember to
> check to see if you can use 'force-command=' in the known hosts file so that the
> key can only issue one command.  (yes, this means that if the automation host has
> to do a dozen different things, it needs a dozen keypairs.  Security is always tradeoffs.)

No need for trade-offs here; you can have a `command=` (it's not
`force-command=`) wrapper script that validates the command that was sent
(via `$SSH_ORIGINAL_COMMAND`) and does an `exec` if it's on the "approved"
list.  One key, many commands, any command you don't allow gets blocked.

- Matt

More information about the NANOG mailing list