Setting a forced SSH command?

[hcgrove]

I can make Android-Password-Store generate an SSH-key, but I would like to restrict what it can do on my server with that key. Is it possible to use a forced command (and what should it be) on that SSH-key? Or am I better off creating a seperate user and give is access to the repo that contains my password store?

[msfjarvis]

Having a separate user is the most reasonable solution here. Move the password store to somewhere outside your home directory, set the PASSWORD_STORE_DIR variable to that directory, and grant access to a secondary account by chown'ing that folder to a new group that consists of you and the limited access user. On an Ubuntu system the process for this would roughly look like this:

mv $HOME/.password-store /my/safe/directory
echo "export PASSWORD_STORE_DIR=/my/safe/directory/.password-store" >> .bashrc
sudo groupadd password_store
sudo adduser pass --disabled-password
sudo adduser pass password_store
chown -R $(whoami):password_store $PASSWORD_STORE_DIR

Then you would add the SSH key to /home/pass/.ssh/authorized_keys and set the URL in Android Password Store to ssh://pass@my.server.ip/my/safe/directory/.password-store.

For maximum security, we recommend that you use the app to generate the SSH key rather than import one into it, since that ensures the private key is always stored on disk in an encrypted form and even if your device is somehow compromised, the private key cannot be used to log into your server.