We’ve talked a lot about using keys to gain access. But how
can you restrict what a key may be used for? Edit, creating the
directory (mode 0700) and/or file if they don’t exist,
~/.ssh/authorized_keys on the machine(s) you
wish the key to be used to log into. We can restrict what a key
can do by inserting some rules at the start of each line (note the
lines are very long and will wrap).
The various restrictions you can put on a key are outlined in the man page for sshd, under the section titled “AUTHORIZED_KEYS FILE FORMAT”. There are some examples further down the page. There aren’t many, so you can read them all.
Add a restriction such that you can no-longer request X11 forwarding. Test it. You may remove the restriction after you have completed the test.