[Feature]: Allow for setting of SSH Authorized Keys options

[svanzoest]

Problem

Related to #3176 it would be useful to be able to limit what actions can be taken on the SSH server side by being able to set options that can be used in the authorized keys file.

For example, instead of just using the public key such as

ssh-ed25519 AAAAC3NzaC1lZDI1NTEFAAABIF0WOd+BDYmgPy1x71660efXyWbycdH10ocLhjCubGHg user@host

You want to limit abilities based on authorized_keys(5) man page,

restrict,port-forwarding,pty,permitopen="localhost:3000",restrictfrom="192.168.1.0/24",command="/usr/local/bin/script.sh" ssh-ed25519 AAAAC3NzaC1lZDI1NTEFAAABIF0WOd+BDYmgPy1x71660efXyWbycdH10ocLhjCubGHg user@host

Which will allow someone to make sure it is used by authorized users and from authorized networks with the least privileges needed.

Solution

Provide an option to specify authorized key options, or update the public key to take in a whole authorized_keys file instead.

Workaround

No response

Would you like to help us implement this feature by sending a PR?

Yes

[r4victor]

@svanzoest, Are you referring to the user ssh key specified when applying a run configuration? Because currently dstack configures at least two ssh keys on the provisioned instances:

• The user ssh key that allows the user to attach to the instance/run (can be specified explicitly or generated by dstack).
• The project ssh key that allows the dstack server connect to the instance (generated by the dstack server).

I think limiting user's ssh key capabilities should be doable in principle. Would that be sufficient for you?

[github-actions]

This issue is stale because it has been open for 30 days with no activity.

[github-actions]

This issue was closed because it has been inactive for 14 days since being marked as stale. Please reopen the issue if it is still relevant.