Don’t. Generally, these things should be used to alert if an internal service has been compromised (akin to using Canary Tokens), and the key copied. It is, at best, a way to hear someone knocking.
On Wed, May 8, 2019 at 15:59 Stefan R. Filipek <[email protected]> wrote: > There's a blog post going around that has an interesting use of SSH > authorized_keys restrict + command: > https://kulinacs.com/ssh-honey-keys/ > > If you don't want to follow the link, it basically uses the > well-documented authorized_keys feature to restrict a login for an ssh > key to invoking a single binary which logs the access attempt: > > restrict,command="/usr/local/bin/honeypot_logger" ssh-rsa AAAA1C8...32Tv== > [email protected] > > Without devolving into an argument about the efficacy of honey keys or > honey pots in general, I'm wondering if this is truly safe from a > security perspective to run on a regular server (not a dedicated honey > pot). Is there anything that an attacker can control that 'restrict' > does not cover, assuming the targeted command is a shell script? > Perhaps with a malicious SSH client as well? By the man page, > 'restrict' turns on all restrictions available to the authorized_keys > configuration, but it's not clear if that is really sufficient for > this attack scenario. > > Apologies if you feel this is off-topic for the mailing list, but > there's no general OpenSSH discussion list anymore listed on the > openssh site. > > -Stefan > > -- Semt form my Apqle iPhnoe 4s and gMal Mobble.
