Tailscale SSH - Restrict user to specific command

I have a server that runs borg-backup nightly to another server over SSH. For security, I restrict the backup SSH user to only the borg service on the backup server by editing the authorized_keys file:

command="borg serve --restrict-to-path /home/borg/backupdir",restrict ssh-rsa DKGWIE....

With the above configuration, the backup user can’t use SSH for normal commands. Is there a way to do something similar when using Tailscale SSH?

Thank you!

We have a bug tracking this issue here: FR: Add support for authorized_keys command mapping using tailscale ssh · Issue #4909 · tailscale/tailscale · GitHub

1 Like