如何配置SSHd以允许单个命令，而又不授予用户完整的登录权限？

我正在寻找通过SSH调用远程命令的最佳方法。我创建用户“ rpcall”，生成新证书并填写authorized_keys。通过以下方式进一步保护它

from="ip",no-agent-forwarding,no-X11-forwarding,no-port-forwarding,no-pty ssh-rsa ......

现在用户rpcall无法登录到终端

ssh -l rpc 192.168.12.1
PTY allocation request failed on channel 0

但是可以运行任何命令

ssh -l rpc 192.168.12.1 cat /etc/passwd

有什么解决方案可以将命令执行限制为仅一个处理脚本吗？例如/home/rpcall/bin/command.sh

我为此用户设置了bash shell，并使用.bashrc强制运行处理脚本，但是我不知道如何从ssh调用传递参数。

.bashrc用于用户rpcall

/home/rpcall/bin/command.sh $params1 $params2
exit

来自其他机器的ssh呼叫

ssh -l rpcall 192.168.12.1 "param1" "param2"

您可以使用authorized_keys文件来限制命令。command="/home/rpcall/bin/command.sh"在密钥之前放置在authorized_keys文件中，并且用户只有在连接时才运行该命令。

检查手册页中的authorized_keys，这是来自该手册页的信息，

 command="command"
         Specifies that the command is executed whenever this key is used
         for authentication.  The command supplied by the user (if any) is
         ignored.  The command is run on a pty if the client requests a
         pty; otherwise it is run without a tty.  If an 8-bit clean chan-
         nel is required, one must not request a pty or should specify
         no-pty.  A quote may be included in the command by quoting it
         with a backslash.  This option might be useful to restrict cer-
         tain public keys to perform just a specific operation.  An exam-
         ple might be a key that permits remote backups but nothing else.
         Note that the client may specify TCP and/or X11 forwarding unless
         they are explicitly prohibited.  The command originally supplied
         by the client is available in the SSH_ORIGINAL_COMMAND environ-
         ment variable.  Note that this option applies to shell, command
         or subsystem execution.

如果需要多个命令，则需要基本设置几组键，并使用不同的键为您提供不同的命令。

编辑：我刚刚注意到，原始命令在SSH_ORIGINAL_COMMAND环境变量中可用，因此您确实可以使用自己的脚本处理该输入，做一些巧妙的事情。