Remote control via ssh keys

These are some notes on remotely controlling a machine with ssh keys.

On a couple of remote testing machines I wanted to automatically pull the latest updates from git and restart the dæmon. The ~/.ssh/authorized_keys file is normally used “plain” with keys to allow login.

It is, however, possible to run a command when a certain key logs in, instead of dropping to a console. This makes it possible to remotely update and restart a dæmon from a script.

Take, for example, the line

command="/usr/local/bin/update-foo-from-git",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAAAB3NzaC1yc2EAAA...

This directs ssh that when this particular key is authenticated, forwarding is disabled and the script /usr/local/bin/update-foo-from-git is run as the logged in user.

If the script needs to touch something that requires higher privileges, sudo can be configured to allow that user to execute that script as a different user. For example the line

myuser   ALL= NOPASSWD: /usr/local/bin/update-foo-from-git

could be added to /etc/sudoers, and the line in .ssh/authorized_keys would then look like

command="/usr/bin/sudo /usr/local/bin/update-from-git",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAAAB3NzaC1yc2EAAA...

and the script could, for example, restart a system dæmon.

One thought on “Remote control via ssh keys

  1. Pingback: Auto Updating with git Submodules | James Reuben Knowles

Leave a Reply