authorized_keys ファイルについて調べてみたら楽しかった.ポートフォワード専用公開鍵とかいろいろ作れそうです
authorized_keys ファイルって単に,公開鍵を入れて置く場所だと思ってました
authorized_keys ファイルにはログイン時に自動実行するプログラムとか、環境変数を書いておくとか
イロイロ便利な使い方があるのです.
使える設定は以下の通り
ログイン時に自動適応する設定は次の通り
なぜ公開鍵に設定書くのですか?
公開鍵登録時(ssh-copy-id) に、設定も纏めて登録できて便利だから.かな?
同じユーザーでも公開鍵毎に,出来ることを切り分けたり出来るね
no-port-forwardingを指定
authorized_keysの先頭に追記します
no-port-forwarding ssh-rsa AAAAB3NzaC1yc2EA...(略) ===
takuya@atom:~$ ssh -C -L 8080:192.168.22.34:22 192.168.22.210 Last login: Sun Aug 14 00:58:30 2011 from 10t.ne.jp takuya@debian00:~$ channel 3: open failed: administratively prohibited: open failed
ポートフォワードに失敗しました.公開鍵に設定書いただけで、ポートフォワーディング禁止できる。
設定は公開鍵だけ、同じユーザーIDでログインしても、ログインに使った秘密鍵(+公開鍵)で適用される設定が変わる!!
no-pty
no-pty ssh-rsa AAAAB3NzaC1yc2EA...(略) ===
実験結果
takuya@atom:~$ ssh 192.168.22.210 PTY allocation request failed on channel 0 takuya@atom:~$
対話コンソールが無効になりました.
pty が使えないだけで、通常通りです.コマンドを単発実行は出来ます.
takuya@atom:~$ ssh 192.168.22.210 "hostname " #コマンド指定は出来る debian00
command
こいつが便利ですね。ログイン時に最初に実行されるコマンドが指定できます。
通常だと pty 確保して bash だと思うんですが。それをスキップします
command="ssh 192.168.22.88" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQ
実験結果
takuya@atom:~$ ssh 192.168.22.210 takuya@192.168.22.88's password: Last login: Sat Aug 13 02:30:23 2011 from 101-net.ne.jp takuya@ml115:~$
つまり踏み台にしたいサーバーを経由することが簡単にできるのです.
SSH時にコマンド指定でSSHが指定できないけど,
takuya@atom:~$ ssh 192.168.22.210 "ssh 192.168.22.83"
authorized_keysに書けば出来る.
command="ssh 192.168.22.88" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQ
sshの他に nc / connect など .ssh/config にProxyCommandを書くのと同じ効果があります.
from="pattern-list"
これはMatch Addressが使えないときに便利ですね.
from="192.168.2.0/24" ssh-rsa
感想
公開鍵に設定を書いておけば,踏み台サーバーを更に活用できそうですね.
- サーバー1は踏み台
- サーバー1−aにアクセス
- サーバー1−bにアクセス
みたいなとき,サーバ1にアクセスする鍵を分ければ,a/bの使い分けが出来ますね
ssh gw.example.jp -i a.intra.example.jp ssh gw.example.jp -i b.intra.example.jp
でそれぞれの鍵を gw.example.com に設置しておき
command="ssh a.intra" ssh-rsa ASDFAAAA command="ssh b.intra" ssh-rsa XXsdSD
と秘密鍵と公開鍵の使い分けでイントラへのアクセスを切り分けたり出来ます.
rsync 専用の公開鍵とか
no-pty,no-port-forwarding,no-agent-forwarding,command="rsync -az a.intra:/var/www b.intra:/var/www " ssh-rsa ASDFAAAA
特定のホストから飲み使えるようにするとか
##実際には1行 from="192.168.2.5",\ no-pty,\ no-port-forwarding,\ no-agent-forwarding,\ ssh-rsa ASDFAAAA
特定のネットワークからだけにするとか
##実際には1行 from="192.168.2.0/24",\ no-pty,\ no-port-forwarding,\ no-agent-forwarding,\ ssh-rsa ASDFAAAA
実際の実例
NXサーバーが内部的に使っています.
no-port-forwarding,no-agent-forwarding,command="/usr/NX/bin/nxserver --login" ssh-dss AAAAB3NzaC1kc3MA////
NXサーバーはNXユーザーでログイン後、nxserver にユーザー名でログインするのです.
man に載ってる例
# Comments allowed at start of line ssh-rsa AAAAB3Nza...LiPk== user@example.net from="*.sales.example.net,!pc.sales.example.net" ssh-rsa AAAAB2...19Q== john@example.net command="dump /home",no-pty,no-port-forwarding ssh-dss AAAAC3...51R== example.net permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss AAAAB5...21S== tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==jane@example.net
manの解説を転記
no-agent-forwarding Forbids authentication agent forwarding when this key is used for authentication. no-port-forwarding Forbids TCP forwarding when this key is used for authentication. Any port forward requests by the client will return an error. This might be used, e.g. in connection with the command option. no-pty Prevents tty allocation (a request to allocate a pty will fail). no-user-rc Disables execution of ~/.ssh/rc. no-X11-forwarding Forbids X11 forwarding when this key is used for authentication. Any X11 forward requests by the client will return an error. permitopen="host:port" Limit local ``ssh -L'' port forwarding such that it may only con‐ nect to the specified host and port. IPv6 addresses can be spec‐ ified with an alternative syntax: host/port. Multiple permitopen options may be applied separated by commas. No pattern matching is performed on the specified hostnames, they must be literal domains or addresses. tunnel="n" Force a tun(4) device on the server. Without this option, the next available device will be used if the client requests a tun‐ nel. cert-authority Specifies that the listed key is a certification authority (CA) that is trusted to validate signed certificates for user authen‐ tication. Certificates may encode access restrictions similar to these key options. If both certificate restrictions and key options are present, the most restrictive union of the two is applied. command="command" Specifies that the command is executed whenever this key is used for authentication. The command supplied by the user (if any) is ignored. The command is run on a pty if the client requests a pty; otherwise it is run without a tty. If an 8-bit clean chan‐ nel is required, one must not request a pty or should specify no-pty. A quote may be included in the command by quoting it with a backslash. This option might be useful to restrict cer‐ tain public keys to perform just a specific operation. An exam‐ ple might be a key that permits remote backups but nothing else. Note that the client may specify TCP and/or X11 forwarding unless they are explicitly prohibited. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environ‐ ment variable. Note that this option applies to shell, command or subsystem execution. Also note that this command may be superseded by either a sshd_config(5) ForceCommand directive or a command embedded in a certificate. environment="NAME=value" Specifies that the string is to be added to the environment when logging in using this key. Environment variables set this way override other default environment values. Multiple options of this type are permitted. Environment processing is disabled by default and is controlled via the PermitUserEnvironment option. This option is automatically disabled if UseLogin is enabled. from="pattern-list" Specifies that in addition to public key authentication, either the canonical name of the remote host or its IP address must be present in the comma-separated list of patterns. See PATTERNS in ssh_config(5) for more information on patterns. In addition to the wildcard matching that may be applied to host‐ names or addresses, a from stanza may match IP addresses using CIDR address/masklen notation. The purpose of this option is to optionally increase security: public key authentication by itself does not trust the network or name servers or anything (but the key); however, if somebody somehow steals the key, the key permits an intruder to log in from anywhere in the world. This additional option makes using a stolen key more difficult (name servers and/or routers would have to be compromised in addition to just the key).
関連項目と参考資料
http://d.hatena.ne.jp/takuya_1st/20110423/1303584704
http://d.hatena.ne.jp/takuya_1st/20110813/1313223707
http://www.turbolinux.com/products/server/11s/user_guide/x9016.html
http://dsas.blog.klab.org/archives/50765770.html
2018-01-05更新
ミスタイプを治した