It a good idea, especially if you making keys just for automated processes to run like an rsync for instance, to tell the remote end to only allow certain clients to do certain things. Here’s a few tips on things to add to the beginning of your public key in authorized_keys:

1) Lets only allow from a specific host or set of hosts:


2) Let’s not allow anything else at all, not even a tty or forwarding etc..


3) Here we specify only one single command to be run:


So implementing these would look something like:

from=”*”,command=“rsync”,no-port-forwarding,no-pty ssh-rsa AAAAB 3NzaC1yc2EAAAABIwAAAQEAybmcqaU/Xos/GhYCzkV+kDsK8+A5OjaK5WgLMqmu38aPo 56Od10RQ3EiB42DjRVY8trXS1NH4jbURQPERr2LHCCYq6tHJYfJNhUX/COwHs+ozNPE8 3CYDhK4AhabahnltFE5ZbefwXW4FoKOO+n8AdDfSXOazpPas8jXi5bEwNf7heZT++a/Q xbu9JHF1huThuDuxOtIWl07G+tKqzggFVknM5CoJCFxaik91lNGgu2OTKfY94c/ieETO XE5L+fVrbtOh7DTFMjIYAWNxy4tlMR/59UVw5dapAxH9J2lZglkj0w0LwFI+7hZu9XvN fMKMKg+ERAz9XHYH3608RL1RQ==

Gotten from here.

Mario Loria is a builder of diverse infrastructure with modern workloads on both bare-metal and cloud platforms. He's traversed roles in system administration, network engineering, and DevOps. You can learn more about him here.