These are some notes on remotely controlling a machine with ssh keys.
On a couple of remote testing machines I wanted to automatically pull the latest updates from git and restart the dæmon. The ~/.ssh/authorized_keys file is normally used “plain” with keys to allow login.
It is, however, possible to run a command when a certain key logs in, instead of dropping to a console. This makes it possible to remotely update and restart a dæmon from a script.
Take, for example, the line
command="/usr/local/bin/update-foo-from-git",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAAAB3NzaC1yc2EAAA... email@example.com
This directs ssh that when this particular key is authenticated, forwarding is disabled and the script /usr/local/bin/update-foo-from-git is run as the logged in user.
If the script needs to touch something that requires higher privileges, sudo can be configured to allow that user to execute that script as a different user. For example the line
myuser ALL= NOPASSWD: /usr/local/bin/update-foo-from-git
could be added to /etc/sudoers, and the line in .ssh/authorized_keys would then look like
command="/usr/bin/sudo /usr/local/bin/update-from-git",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAAAB3NzaC1yc2EAAA... firstname.lastname@example.org
and the script could, for example, restart a system dæmon.