Skip to main content

Reviewing Authorized-Key Options

Authorized-key options are used to restrict where the authorization can be used from, and what the authorization can be used to do.

To review authorized-key options via the GUI:

  • On the User Keys→Authorized keys page, click an authorized key to display its details panel. The options specified for that authorized key are displayed in OpenSSH and Tectia format, under the OpenSSH key options and the Tectia key options sections of the details panel.

To display key options using the command-line client, use the commands list-authorized-keys or show-authorized-key (described in list-authorized-keys and list-request-approvals respectively):

$ ssh-mgr-client list-authorized-keys -C id,key_options
$ ssh-mgr-client show-authorized-keys -i 99 -C id,key_options

The following list describes common authorized-key options and their functionality:

  • allow-from: Specifies what addresses the authorization can be used from. If allow-from addresses are specified, authorizations are only allowed from these addresses, and authorization attempts from other addresses are denied. An authorized key supports any number of allow-from addresses.

  • deny-from: Authorization attempts from these addresses are denied. An authorized key supports any number of deny-from addresses.

  • command: Specifies the command restriction (also called forced command) for the authorization. When specified, successful authentication will result in the specified command being run on the login shell, after which the user is automatically logged out. When no command restriction is specified, the user is provided shell access upon successful authentication.

  • no-agent-forwarding: When this option is set, agent forwarding is disabled.

  • no-port-forwarding: When this option is set, port forwarding is disabled.

  • no-pty: When this option is set, tty allocation is disabled.

  • no-x11-forwarding: When this option is set, agent forwarding is disabled.

For complete information about what authorized-key options are supported by your SSH products, please consult their respective product documentation.