authorized_keys Security Standards

Advanced

Standards for managing authorized_keys files — key restrictions, command forcing, environment options, source IP limits, and regular audit requirements.

File Patterns

**/.ssh/authorized_keys**/authorized_keys

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# authorized_keys Security Standards

## Rule
All authorized_keys entries MUST use restrict options for service accounts, enforce source IP limits for sensitive servers, and be audited quarterly.

## Format
```bash
# Standard user key (minimal)
ssh-ed25519 AAAA... user@device-2026

# Restricted service account
restrict,command="/usr/local/bin/backup.sh" ssh-ed25519 AAAA... backup@server

# IP-restricted access
from="10.0.0.0/8,192.168.1.0/24" ssh-ed25519 AAAA... admin@office
```

## Restriction Options
```bash
# Full restrictions (recommended for service accounts)
restrict,command="/path/to/script" ssh-ed25519 AAAA... deploy@ci

# This enforces:
# - no-agent-forwarding
# - no-port-forwarding
# - no-pty (no interactive shell)
# - no-X11-forwarding
# - no-user-rc
# Plus: only the specified command can run
```

## Examples

### CI/CD Deploy Key
```bash
# Can only run deploy script, no interactive access
restrict,command="/opt/deploy/run.sh" ssh-ed25519 AAAA... deploy@github-actions
```

### Backup Service
```bash
# Can only run rsync, limited to specific IP
from="10.0.1.5",restrict,command="/usr/bin/rsync --server" ssh-ed25519 AAAA... backup@nas
```

### Developer Access
```bash
# Full access but from office IP range only
from="203.0.113.0/24" ssh-ed25519 AAAA... developer@laptop-2026
```

## Audit Requirements
```bash
# Quarterly review script
#!/bin/bash
echo "=== authorized_keys audit ==="
for user_home in /home/*; do
  auth_file="$user_home/.ssh/authorized_keys"
  if [[ -f "$auth_file" ]]; then
    echo "--- $(basename "$user_home") ---"
    grep -c "" "$auth_file"  # Count keys
    grep -v "restrict" "$auth_file"  # Flag unrestricted keys
  fi
done
```

## Good
```bash
restrict,command="/opt/deploy/run.sh",from="10.0.0.0/8" ssh-ed25519 AAAA...
```

## Bad
```bash
ssh-rsa AAAA... root@server  # No restrictions, RSA, root access
```

FAQ

Discussion

Loading comments...

# authorized_keys Security Standards ## Rule All authorized_keys entries MUST use restrict options for service accounts, enforce source IP limits for sensitive servers, and be audited quarterly. ## Format ```bash # Standard user key (minimal) ssh-ed25519 AAAA... user@device-2026 # Restricted service account restrict,command="/usr/local/bin/backup.sh" ssh-ed25519 AAAA... backup@server # IP-restricted access from="10.0.0.0/8,192.168.1.0/24" ssh-ed25519 AAAA... admin@office ``` ## Restriction Options ```bash # Full restrictions (recommended for service accounts) restrict,command="/path/to/script" ssh-ed25519 AAAA... deploy@ci # This enforces: # - no-agent-forwarding # - no-port-forwarding # - no-pty (no interactive shell) # - no-X11-forwarding # - no-user-rc # Plus: only the specified command can run ``` ## Examples ### CI/CD Deploy Key ```bash # Can only run deploy script, no interactive access restrict,command="/opt/deploy/run.sh" ssh-ed25519 AAAA... deploy@github-actions ``` ### Backup Service ```bash # Can only run rsync, limited to specific IP from="10.0.1.5",restrict,command="/usr/bin/rsync --server" ssh-ed25519 AAAA... backup@nas ``` ### Developer Access ```bash # Full access but from office IP range only from="203.0.113.0/24" ssh-ed25519 AAAA... developer@laptop-2026 ``` ## Audit Requirements ```bash # Quarterly review script #!/bin/bash echo "=== authorized_keys audit ===" for user_home in /home/*; do auth_file="$user_home/.ssh/authorized_keys" if [[ -f "$auth_file" ]]; then echo "--- $(basename "$user_home") ---" grep -c "" "$auth_file" # Count keys grep -v "restrict" "$auth_file" # Flag unrestricted keys fi done ``` ## Good ```bash restrict,command="/opt/deploy/run.sh",from="10.0.0.0/8" ssh-ed25519 AAAA... ``` ## Bad ```bash ssh-rsa AAAA... root@server # No restrictions, RSA, root access ```