There's a blog post going around that has an interesting use of SSH authorized_keys restrict + command: https://kulinacs.com/ssh-honey-keys/
If you don't want to follow the link, it basically uses the well-documented authorized_keys feature to restrict a login for an ssh key to invoking a single binary which logs the access attempt: restrict,command="/usr/local/bin/honeypot_logger" ssh-rsa AAAA1C8...32Tv== honeypot_...@example.com Without devolving into an argument about the efficacy of honey keys or honey pots in general, I'm wondering if this is truly safe from a security perspective to run on a regular server (not a dedicated honey pot). Is there anything that an attacker can control that 'restrict' does not cover, assuming the targeted command is a shell script? Perhaps with a malicious SSH client as well? By the man page, 'restrict' turns on all restrictions available to the authorized_keys configuration, but it's not clear if that is really sufficient for this attack scenario. Apologies if you feel this is off-topic for the mailing list, but there's no general OpenSSH discussion list anymore listed on the openssh site. -Stefan
