matching on client public key

Igor Bukanov igor at
Tue Feb 17 17:51:27 AEDT 2015

As I understand currently there is no way in sshd_config to match
based on the client public key so different configuration for the same
username can be applied depending on the key, right?

My case is a backup login that needs to run as a root to access all
the files and where I want to use ForceCommand to allow the login only
to execute a particular command and yet still allow normal root
logins. As a workaround currently I have a dummy account with
ForceCommand that executes a setuid wrapper for the backup where the
wrapper can only run from that account. It works, but it would be nice
to avoid this error-prone extra-account+setuid combination and allow
in sshd_config either to match based on public keys or to support
custom mapping of ssh accounts into system ones.

More information about the openssh-unix-dev mailing list