We’ve talked a lot about using keys to gain access. But how can you restrict what a key may be used for? Edit, creating the directory (mode 0700) and/or file if they don’t exist, ~/.ssh/authorized_keys on the machine(s) you wish the key to be used to log into. We can restrict what a key can do by inserting some rules at the start of each line (note the lines are very long and will wrap).

The various restrictions you can put on a key are outlined in the man page for sshd, under the section titled “AUTHORIZED_KEYS FILE FORMAT”. There are some examples further down the page. There aren’t many, so you can read them all.