Enable Selected Commands Only

(You have to set PermitRootLogin forced-commands-only  in order for this to work )

PermitRootLogin  yes,no,without-password,forced-commands-only

without-password : allow root login without password ( Using Keys )

forced-commands-only ( Allow only forced commands  with public key authentication and only if the command option has been specified which can be useful for remote backups and stuffs like that. )

from=”Ip Addr”,command=”/usr/local/scripts/sshcmds.sh”, ssh-rsa DKDFJKDFJkdsjkfdfsdf……..

Note: there is no space between “IP Addr”, and command=”/usr but there is space between sshcmds.sh”, and ssh-rsa


from=”ip_addr”,   ssh-rsa ADDFDKFJDKFJKDJFKDF

sample sshcmds.sh :

!/bin/sh case "$SSH_ORIGINAL_COMMAND" in &) echo "Rejected" ;; () echo "Rejected" ;; {) echo "Rejected" ;; ;) echo "Rejected" ;; <) echo "Rejected" ;; `) echo "Rejected" ;; |) echo "Rejected" ;; rsync\ --server*) $SSH_ORIGINAL_COMMAND ;; *) echo "Rejected" ;; esac

Enable SSH Banner

vi /etc/ssh/sshd_config

Enable the following line

Banner /some/path Save and Restart SSH

In addition to enforcing a command, it is advisable to disable a number of advanced SSH features, such as TCP and X11 forwarding. Assignment of a pseudo terminal to the user’s SSH session may also be suppressed, by adding a number of additional configuration options next to the forced command:


Here’s what a full entry from ~/.ssh/authorized_keys might look like:

<tt>command="/bin/ps -ef",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAp0KMipajKK468mfihpZHqmrMk8w+PmzTnJrZUFYZZNmLkRk+icn+m71DdEHmza2cSf9WdiK7TGibGjZTE/Ez0IEhYRj5RM3dKkfYqitKTKlxVhXNda7az6VqAJ/jtaBXAMTjHeD82xlFoghLZOMkScTdWmu47FyVkv/IM1GjgX/I8s4307ds1M+sICyDUmgxUQyNF3UnAduPn1m8ux3V8/xAqPF+bRuFlB0fbiAEsSu4+AkvfX7ggriBONBR6eFexOvRTBWtriHsCybvd6tOpJHN8JYZLxCRYHOGX+sY+YGE4iIePKVf2H54kS5UlpC/fnWgaHbmu/XsGYjYrAFnVw== Test key</tt>