I would like to use command per key in authorized_keys to set some environment variables.
command="MYVAR=test $SHELL" ssh-rsa mykey
Shell works fine but scp is not working.
What would be the correct way to set environment variables per key and not break ssh file transfers?
Your configuration forces ssh to run whatever command is in $SHELL whenever you connect with the matching private key. This is fine if what you want is an interactive shell, but will break any attempt at running a command directly. This breaks `scp as you've seen, but will also break things like:
ssh myhost uptime
The solution is to either (a) set your environment variables somewhere else (.ssh/rc, or just use your standard shell initialization files), or (b) use a dedicated key when you want to force a command via your authorized_keys file.
So I realize this question is ancient at this point but I discovered an answer to this today. This is an alternative to setting environment variables and may be a better solution depending on your situation. My situation is this:
I have a Splunk instance that initiates an SCP and SSH session to a remote host. A list of emails is sent via SCP and then SSH is used to run a script on the remote system to take action on that list of emails. Here's the top of my authorized_keys file:
command="/home/username/wrapper.sh",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3 etc...
This is my wrapper.sh script:
#!/bin/bash
vars=( $SSH_ORIGINAL_COMMAND )
case "${vars[0]}" in
"/home/username/scripts/myscript.py")
/home/username/scripts/myscript.py ${vars[1]}
exit 0
;;
"scp")
scp -t ${vars[2]}
chmod 644 ${vars[2]}
exit 0
;;
*)
exit 1
;;
esac
The first case allows /home/username/scripts/myscript.py with any command line parameters that were passed to it. The second, scp case entry, allows the incoming file to be written to disk at its intended location.
This method allows me to limit the use of the public key to 1 command and still allow scp. If anyone has a better option please share. :)
