Often, if you’re administering a server, you’ll find you need
to execute some small task on the server, or you want to delegate a task to
another administrator, but you don’t want to give them full access. Perhaps you
want to execute a remote backup or status test. This can all be accomplished
using ssh with keys so that it can be
unattended, but still secure.

The first step is to create the ssh key using the ssh-keygen utility. This is extremely
straightforward. If you plan to have the task unattended, be sure to not give
it a password. To increase security, make a special account to execute the
task; make sure it can’t log in, and make sure that the ssh public key is used only on a particular server or set of
servers.

On the remote server, copy the user’s ssh public key into ~/.ssh/authorized_keys.
You will need to make some modifications to the line in authorized_keys. To begin, you should set a “command”
keyword to ensure that only one particular command can be executed by that key.
The syntax looks like:

Tips in your inbox

Delivered each Tuesday, TechRepublic’s free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills.

Automatically sign up today! 

<code>
command="" KEY
</code>

where command could be something as simple as
“/usr/bin/rsync” or “/usr/local/bin/foo.sh”. To enhance and
secure this further, add the following options to authorized_keys:

<code>
command="/usr/local/bin/foo.sh",no-port-forwarding,no-X11-
  forwarding,no-agent-forwarding,no-pty KEY
</code>

This ensures that anyone connecting cannot do any port
forwarding, X11 forwarding, agent forwarding, and ssh doesn’t allocate a
pseudo-TTY which prevents the issuing of commands through an interactive
session.

If the client system is adequately secured to protect the
password-less key, and the availability of commands is restricted on the
server, using SSH to execute remote commands is a breeze.