Skip to main content

Setting Options for Authorized Keys

Authorized-key options can be set to specify the locations from where an authorizations can be used from, and what the authorization can be used to run. Examples of commonly-supported option types include the following:

  • allow-from: Specifies what addresses the authorization can be used from. If allow-from addresses are specified, authorizations are only allowed from these addresses, and authorization attempts from other addresses are denied. An authorized key supports any number of allow-from addresses.

  • deny-from: Authorization attempts from these addresses are denied. An authorized key supports any number of deny-from addresses.

  • from: A list of IP addresses and/or networks that defines where the authorization can be used from. Used for specifying both allowed and denied addresses.

  • command: Specifies the command restriction (also called the forced command) for the authorization. When specified, successful authentication will result in the specified command being run on the login shell, after which the user is automatically logged out. When no command restriction is specified, the user is typically provided shell access upon successful authentication.

  • no-agent-forwarding: When this option is set, agent forwarding is disabled.

  • no-port-forwarding: When this option is set, port forwarding is disabled.

  • no-pty: When this option is set, tty allocation is disabled.

  • no-x11-forwarding: When this option is set, X-window forwarding is disabled.

caution

Ensure that the authorized-key options you specify are supported by the SSH product that the selected keys belong to. Incorrect options may cause the selected keys to become unusable. For a complete list of supported key options, please consult the documentation of your SSH product.

To modify authorized-key options for certain keys:

  1. On the User keys→Authorizations page or on the User keys→Authorized keys page, perform a Set Options action on the target authorized key(s).

Authorized-key options can also be set via the command-line client (detailed under User-Key Commands):

ssh-mgr-client add-authorized-key-options
ssh-mgr-client remove-authorized-key-options
ssh-mgr-client set-authorized-key-options
ssh-mgr-client update-authorized-key-options
note

If an authorized keys for which you modify authorized-key options becomes identical to some other existing authorized keys, these keys shall be represented as a single entry in the Key Manager system.

When you perform a management action on a key entry that represents multiple identical keys, that action is performed for all the keys represented by the entry.

For more information about when authorized keys are considered identical, see Key Manager Behavior with Multiple Identical Keys.