~/.ssh/authorized_keys is more than just a file listing valid public keys which can be used for server access. Each key can be preceded by a list of options:
from="127.0.0.1",command="foo" ssh-rsa AAAAB3...kPQ my-key-comment-here
I had come across this before when setting up an SSH key to only be usable from the local host, but never explored the options beyond that. Some particularly useful/interesting options:
from='list'- list of IP addresses or remote hosts from which the connection must originate to be permitted. I have used this before when setting up local host only SSH keys for WordPress updates (perhaps a blog post for the future), setting
127.0.0.1as the only valid origin IP for the key.
foocan be a command with options etc. This is executed when the key is used.
foooverrides any command specified by the user, which is the really useful feature. This allows us to enforce a particular use for a particular key (e.g. only allow the backup key to run
environment="NAME=value"- Automatically set environment variables when the key is used.
There are other available options as well. Worth remembering here that the server configuration can be set to override the options given, something to double-check when putting this in to practice.