Dear OpenSSH Team,
attached is a small patch set that updates the openssh manual pages.
The changes try to describe more clearly the semantics and implications
of the ``command="..."`` and ``no-pty`` authorized_keys options and its
related sshd_config directives ``ForceCommand="..."`` and
``PermitTTY=no`` respectively.
As a (Debian) Linux system administrator i recently investigated
whether my sshd-related configuration could be made more restrictive
with respect to security. In this process, i found that the description
of the authorized_keys ``command="..."`` option was not
describing the possible usage of the magic command ``internal-sftp``,
and that in this case the user's login shell is not started by sshd
(e.g. the user could have its login shell set to ``/bin/false`` and
still the internal sftp server would process sftp requests from the
client).
The biggest caveat, the elephant in the room so to speak, is the
question whether the options in the authorized_keys are intended to
be identical (and not just similar) with regards to their semantics
and implications to the directives in the sshd_config.
For example:
* ``no-pty`` in authorized_keys and ``PermitTTY=no`` in sshd_config
really look and feel like they are equivalent. However, in
monitor.c line 353 only ``auth_opts->permit_pty_flag`` is checked and
``options.permit_tty`` is not.
In contrast, in session.c line 1550 both are checked equivalently.
The patch set was created against
commit 42a7be81bef70c04732f45ec573622effe56b563
of https://github.com/openbsd/src.git
awaiting any feedback on what i could improve with the patches
and with best regards,
Max-Julian PognerFrom 1f9a9572874609f33e6be6fbabfa65de89d4adbc Mon Sep 17 00:00:00 2001
From: Max-Julian Pogner <max-julian@xxxxxxxxx>
Date: Mon, 4 Aug 2025 11:18:41 +0200
Subject: [PATCH 1/3] document that 'no-pty' is identical to 'PermitTTY=no'
---
usr.bin/ssh/sshd.8 | 1 +
1 file changed, 1 insertion(+)
diff --git a/usr.bin/ssh/sshd.8 b/usr.bin/ssh/sshd.8
index ec5a0af777..bcc80396a5 100644
--- a/usr.bin/ssh/sshd.8
+++ b/usr.bin/ssh/sshd.8
@@ -557,6 +557,7 @@ This might be used, e.g. in connection with the
option.
.It Cm no-pty
Prevents tty allocation (a request to allocate a pty will fail).
+Same as sshd_config(5) PermitTTY=no.
.It Cm no-user-rc
Disables execution of
.Pa ~/.ssh/rc .
--
2.39.5
From bc2fbdf2a325acad302b7eb33171f52f7d0debbb Mon Sep 17 00:00:00 2001
From: Max-Julian Pogner <max-julian@xxxxxxxxx>
Date: Mon, 4 Aug 2025 12:06:58 +0200
Subject: [PATCH 2/3] =?UTF-8?q?document=20that=20command=3D"=E2=80=A6"=20i?=
=?UTF-8?q?s=20identical=20to=20ForceCommand.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
usr.bin/ssh/sshd.8 | 24 +++++++++---------------
usr.bin/ssh/sshd_config.5 | 4 ++++
2 files changed, 13 insertions(+), 15 deletions(-)
diff --git a/usr.bin/ssh/sshd.8 b/usr.bin/ssh/sshd.8
index bcc80396a5..e16c9590f1 100644
--- a/usr.bin/ssh/sshd.8
+++ b/usr.bin/ssh/sshd.8
@@ -483,13 +483,16 @@ restrictive union of the two is applied.
.It Cm command="command"
Specifies that the command is executed whenever this key is used for
authentication.
-The command supplied by the user (if any) is ignored.
-The command is run on a pty if the client requests a pty;
-otherwise it is run without a tty.
-If an 8-bit clean channel is required,
-one must not request a pty or should specify
-.Cm no-pty .
+Note, that this command may be superseded by a
+.Xr sshd_config 5
+.Cm ForceCommand
+directive. This option can be regarded as equaivalent to using that
+directive (see there for more details).
+.Pp
A quote may be included in the command by quoting it with a backslash.
+Note, that the command is run on a pty if the client requests a pty;
+otherwise it is run without a tty. If an 8-bit clean channel is
+required, one must not request a pty or should specify no-pty.
.Pp
This option might be useful
to restrict certain public keys to perform just a specific operation.
@@ -499,15 +502,6 @@ forwarding unless they are explicitly prohibited, e.g. using the
.Cm restrict
key option.
.Pp
-The command originally supplied by the client is available in the
-.Ev SSH_ORIGINAL_COMMAND
-environment variable.
-Note that this option applies to shell, command or subsystem execution.
-Also note that this command may be superseded by a
-.Xr sshd_config 5
-.Cm ForceCommand
-directive.
-.Pp
If a command is specified and a forced-command is embedded in a certificate
used for authentication, then the certificate will be accepted only if the
two commands are identical.
diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5
index 85b098dfe1..dfe138d6f1 100644
--- a/usr.bin/ssh/sshd_config.5
+++ b/usr.bin/ssh/sshd_config.5
@@ -698,6 +698,10 @@ ignoring any command supplied by the client and
if present.
The command is invoked by using the user's login shell with the -c option.
This applies to shell, command, or subsystem execution.
+The command is run on a pty if the client requests a pty;
+otherwise it is run without a tty. If an 8-bit clean channel is required,
+one must not request a pty or should specify
+.Cm PermitTTY=no .
It is most useful inside a
.Cm Match
block.
--
2.39.5
From a873ebea68596d7837f42ccfbf352d287aa6b6bc Mon Sep 17 00:00:00 2001
From: Max-Julian Pogner <max-julian@xxxxxxxxx>
Date: Mon, 4 Aug 2025 12:14:44 +0200
Subject: [PATCH 3/3] document, that the internal-sftp accepts options same as
sftp-server
---
usr.bin/ssh/sshd_config.5 | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5
index dfe138d6f1..377b9fed70 100644
--- a/usr.bin/ssh/sshd_config.5
+++ b/usr.bin/ssh/sshd_config.5
@@ -712,7 +712,10 @@ Specifying a command of
.Cm internal-sftp
will force the use of an in-process SFTP server that requires no support
files when used with
-.Cm ChrootDirectory .
+.Cm ChrootDirectory ,
+and that does not invoke the user's login shell.
+The in-process SFTP server accepts the same options as the external
+sftp server.
The default is
.Cm none .
.It Cm GatewayPorts
--
2.39.5
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
