Restricting authorized keys in SSH

A little-known SSH trick: when using key-based authentication, you can restrict the things that each key is allowed to do on the server side, by attaching a set of rules to the key in ~/.ssh/authorized_keys2.

For example, with the following key, you can only get a port forward to port localhost:8118 on the server side.

# One key per line, with space-separated fields:
# options, keytype, base64-encoded-key, comment
no-pty,no-agent-forwarding,no-X11-forwarding,permitopen="localhost:8118" ssh-rsa BLAH...

There are many more options available, which can be read up in the corresponding section in the man page.

Why would you do that?

In short: Principle of Least Privilege.

This is good for keys that are stored in higher risk places, such as keys used for not manually supervised automated tasks or on devices that can get lost or stolen easily. In that case, the loss of the key only grants limited capabilities to a third person getting access to it.