This might be impossible but this is what I would like:
- Allow the developer to login to server via Capistrano so that he can deploy changes. e.g.
cap deploy
- Do not allow the developer to login to the server when not using Capistrano. e.g.
ssh user@server
More info: Our developers deploy to our server using Capistrano. When running cap deploy
or similar commands Capistrano logins to the server (ssh) using a key that was passed to the developer and runs some commands.
Reason I want to do this: Security and Chef is being used to manage the server (wouldn't want changes to be made outside of Chef).
Is this possible?
You can limit certain keys in different manners in the
authorized_keys
file,from=
you can limit the hosts that can use that key,command=
allows you to define a certain command, if you wanted multiple commands, you can either write a script, or add multiple keys.Any other type of access attempted with that key will not work.
This page has some nice explanations of how, and the limitations.
wrap the call in a web service. A simple php script can call the desired command and be protected via apache with any number of authorization schemas.
This method also will play well with other systems such as CI/CD.