Secure method for automated copying of files over a root ssh connection

I currently have a few different services running on my home server and for simplicity, I have a single VM manage the certificates via certbot and just copy them across the network using SCP.

The ssh connections are key secured but since I'm running it automated, the keys themselves don't require a password which obviously isn't ideal.

The keys are only stored in the root account of the VM that manages certbot but I'd still like an option where the script could copy the files across without me having to essentially have an unsecured method for root access to other systems on my network if someone gained access to one of them.

Is there a way to only allow certain commands to be passed over an ssh connection without allowing it to open a shell session, or can anyone think of another way to copy the files across on my weekly cron job that wouldn't leave an option for someone to ssh across to my other machines?

My router only enables the user for certbot on a Saturday evening, which allows my VM to ssh in and run a script that disables the firewall rule that blocks port 80, runs the certbot renew command, enables the firewall rules again and disables the certbot user. I'm comfortable enough with this since there's only a maximum 15 minute window each week where the router user is enabled.

It's the copying of the certificates that's the problem as obviously with it being carried out as root, the accounts are active at all times.

#!/bin/bash
ssh [email protected] "/system script run certbotenable"
#ufw allow 80
certbot renew
#ufw delete allow 80
systemctl restart apache2
ssh [email protected] "/system script run certbotdisable"
scp /etc/letsencrypt/live/sazed.mydomain.com/cert.pem root@sazed:/etc/pve/local/pveproxy-ssl.pem
scp /etc/letsencrypt/live/sazed.mydomain.com/privkey.pem root@sazed:/etc/pve/local/pveproxy-ssl.key
scp /etc/letsencrypt/live/rashek.mydomain.com/cert.pem root@rashek:/root/ssl/fullchain.pem
scp /etc/letsencrypt/live/rashek.mydomain.com/privkey.pem root@rashek:/root/ssl//privkey.key
ssh root@sazed "service pveproxy restart"

You can generate multiple ssh key pairs.

On the remote server you can use the advanced options in the authorized_keys file and add limits to each public key. That allows you to add restrictions to the amount of access logins with a particular key pair is granted.

See authorized_keys file format description in https://www.freebsd.org/cgi/man.cgi?sshd(8) for the options and their meaning.

Useful options are for example command= that limit access to only a single command/executable/script

Fairly typical is to force internal-sftp ; then only file transfers with sftp will be allowed.

Or from= that limit source IP from which connections are accepted

Similarly in the /etc/ssh/sshd_config you can set additional requirements for root logins with a Match directive i.e. when you still need to allow password logins for all regular users you can use that to set that only public key based logins are accepted for root

# /etc/ssh/sshd_config
#here go defaults for all connections/users
PasswordAuthentication yes
PubkeyAuthentication yes
...
# Use Match directives to override default settings and specify specific settings
# for users, groups, hosts 
# https://man.openbsd.org/sshd_config#Match
Match User root
    PasswordAuthentication no
   

And of course you can avoid the whole root / privileged account issue by configuring a pull rather than push approach.