Home / server / Questions / 415291
Accepted
amateur barista
Asked: 2012-08-08 14:44:03 +0800 CST

sshd_config versus authorized_keys command parameter

  • 772

Background: I added OTP token authentication to my web server. I modified the /etc/ssh/sshd_config file with the ForceCommand /token/script command.

Problem: I have a local Jenkins instance connecting to the web server for doing deployments; Jenkins can't enter token info or respond to phone calls (although who knows, I bet there's even a plugin for that!).

Possible solution: use the ~/user/authorized_keys command parameter to force the token script on all keys, except for the key being used by jenkins.

Question: How less secure than the global sshd_config approach the authorized_keys approach is? Would you consider it an acceptable trade-off? Is there a better solution (that allows Jenkins to do slave deployments, whilst keeping everyone else locked down with token auth?).

I've tried both approaches and both work like a charm. The second approach I find more practical in terms of deployments, but it raises some sort of internal red flags for me. I don't know if I'm chasing ghosts (with the red flags). Discuss!

security

1 Answers

  1. Best Answer

    Use the Match command in your sshd_config to apply different rules to the jenkins user than you do to other users:

    • Match: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.

    See the sshd_config man page for complete documentation.

    • 2