根据SSH密钥限制访问 [英] restrict access based on SSH key

问题描述

说，我在远程服务器storage上有一个帐户，用户可以在其中上传和下载数据.我将允许用户的SSH密钥手动添加到/home/storage/.ssh/authorized_keys.现在，我有两个使用不同公共SSH密钥的用户，Watson和Sherlock.

Say, I have an account on my remote server storage where uses can upload and download data from. I add the SSH key of the allowed users manually to /home/storage/.ssh/authorized_keys. Now, I have two users that use different public SSH keys, Watson and Sherlock.

我如何确保Watson无法上传或从Sherlocks私人画廊下载?是否可以根据用于身份验证的SSH密钥定义文件/文件夹权限?

How can I make sure that Watson can not upload to/download from Sherlocks private gallery? Is it possible to define file/folder permission based on the SSH key that was used to authenticate?

我想到了一个受限制的shell程序，该程序被设置为storage用户的shell.但是，这种受限制的外壳程序如何找出使用了什么SSH密钥?

I thought about a restricted shell program that is set as the storage user's shell. But how can this restricted shell find out what SSH key was used?

推荐答案

您可以尝试在/home/storage/.ssh/authorized_keys文件中使用受限制外壳程序的command选项，如下所示:

You can try using the command option in the /home/storage/.ssh/authorized_keys file, with a restricted shell, like this:

command="cd /home/storage/watson && rbash" ssh-rsa AAAAB3...2Z <- watson's public key
command="cd /home/storage/sherlock && rbash" ssh-rsa AAAAB4...R5 <- sherlock's public key

现在，根据所使用的私钥，用户将在子目录中获得受限制的外壳程序.

Now the user will get a restricted shell in a subdirectory depending on which private key is used.

这篇关于根据SSH密钥限制访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！