1

Does ssh-keygen have an option for setting the values like force-command, no-port-forwarding, no-agent-forwarding on a supplied key?

I am thinking of the instance, when someone sends you their public key and you want to restrict the commands the key will allow.

I know those options can be changed in an editor, but I prefer the option where it can be set from the command line.

I have seen some ssh-keygen certificate options in the documentation, but I am not sure whether they apply to a public key supplied by another person.

vfclists
  • 791
  • 2
  • 10
  • 24
  • 2
    Keys as such don't have options. If you put a user's key in your `authorized_keys` file, _that entry_ (line) can have such options _in addition to_ the key; see [man 8 sshd](https://man.openbsd.org/sshd.8#AUTHORIZED_KEYS_FILE_FORMAT). OpenSSH certificates _contain_ similar options, because with certs you normally put only the one CA key in authorized_keys, marked as cert-authority, not the individual keys. Of course this requires the user submit their publickey, you create the cert and give it back, and the user uses the cert and _not_ their bare key. – dave_thompson_085 Oct 12 '21 at 03:11
  • @dave_thompson Spot on. Your comment should be an answer. – davidgo Oct 13 '21 at 02:30

0 Answers0