from some workstation
cd ~/.ssh/ ssh-keygen -t ed25519 -f lala ssh-keygen -t ed25519 -f lili cat ~/.ssh/lala.pub cat ~/.ssh/lili.pub
on the server as THAT-USER
vi ~/.ssh/authorized_keys command="/usr/bin/uname -a",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJTvicof1cUayfZ/qJyJ50Cpv1WagT+n+gv8458CMfY elge@bravo command="/bin/netstat -lntup",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPgdHLgD+gS9k3Ia6Avl5zU7Iiko1SOoPJ5aQosElAxe elge@bravo
back to the workstation, eventually kill any previously cached key
pkill ssh-agent ps auxww | grep ssh-agent
and double-check what identity the client is using to authenticate
ssh -i ~/.ssh/lala SSH-SERVER -l THAT-USER -v ssh -i ~/.ssh/lili SSH-SERVER -l THAT-USER -v
discussion on vhosts https://stackoverflow.com/questions/15558601/determine-virtual-host-name-on-ssh-connection-would-be-useful-for-virtual-git-h https://serverfault.com/questions/329529/virtual-hosts-for-ssh https://serverfault.com/questions/34552/is-there-a-name-based-virtual-host-ssh-reverse-proxy
this goes bounce http://benno.id.au/blog/2006/06/08/ssh_proxy_command
through HTTPS http://www.zeitoun.net/articles/ssh-through-http-proxy/start
this is what I wanted: proxy per user or pubkey http://quark.humbug.org.au/publications/ssh/ssh-tricks.html https://github.com/tg123/sshpiper - https://asciinema.org/a/222825
Restrict SSH logins to a single command https://research.kudelskisecurity.com/2013/05/14/restrict-ssh-logins-to-a-single-command/