SSH authorized_keys command option: multiple commands?

Solution 1:

You can have only one command per key, because the command is “forced”.

But you can use a wrapper script. The called command gets the original command line as environment variable $SSH_ORIGINAL_COMMAND, which it can evaluate.

E.g. put this in ~/.ssh/allowed-commands.sh:

#!/bin/sh
#
# You can have only one forced command in ~/.ssh/authorized_keys. Use this
# wrapper to allow several commands.

case "$SSH_ORIGINAL_COMMAND" in
    "systemctl restart cups")
        systemctl restart cups
        ;;
    "shutdown -r now")
        shutdown -r now
        ;;
    *)
        echo "Access denied"
        exit 1
        ;;
esac

Then reference it in ~/.ssh/authorized_keys with

command="/home/user/.ssh/allowed-commands.sh",…

Solution 2:

No. It is not "allowed" command, but "forced" command (as ForceCommand option).

The only possibility is to use different keys for different commands or read parameters from stdin.

---

Solution 3:

In the great SSH, The Secure Shell: The Definitive Guide book by O'Reilly, in chapter eight, there is a nice example given using a script like the following:

#!/bin/sh

/bin/echo "Welcome!
Your choices are:
1       See today's date
2       See who's logged in
3       See current processes
q       Quit"

/bin/echo "Your choice:"

read ans

while [ "$ans" != "q" ]
do
   case "$ans" in
      1)
         /bin/date
         ;;
      2)
         /usr/bin/who
         ;;
      3)
         /usr/bin/top
         ;;
      q)
         /bin/echo "Goodbye"
         exit 0
         ;;
      *)
         /bin/echo "Invalid choice '$ans': please try again"
         ;;
   esac
   /bin/echo "Your choice:"
   read ans
done
exit 0

Using this in your .authorized_keys file like:

command="/path/to/your/script.sh" <ssh-key>

...gives you this when doing ssh:

Welcome!
Your choices are:
1       See today's date
2       See who's logged in
3       See current processes
q       Quit
Your choice: