Dear OpenSSH Team,
a new patch set is attached, with:
- fixed the typo
- reworded the «command="…"» section in sshd.8, to make it more clear.
thanks to Brian Candler for feedback.
with best regards,
Max
On 05/08/2025 17:35, Max-Julian Pogner wrote:
Dear OpenSSH Team,
attached is a small patch set that updates the openssh manual pages.
The changes try to describe more clearly the semantics and implications
of the ``command="..."`` and ``no-pty`` authorized_keys options and its
related sshd_config directives ``ForceCommand="..."`` and
``PermitTTY=no`` respectively.
As a (Debian) Linux system administrator i recently investigated
whether my sshd-related configuration could be made more restrictive
with respect to security. In this process, i found that the description
of the authorized_keys ``command="..."`` option was not
describing the possible usage of the magic command ``internal-sftp``,
and that in this case the user's login shell is not started by sshd
(e.g. the user could have its login shell set to ``/bin/false`` and
still the internal sftp server would process sftp requests from the
client).
The biggest caveat, the elephant in the room so to speak, is the
question whether the options in the authorized_keys are intended to
be identical (and not just similar) with regards to their semantics
and implications to the directives in the sshd_config.
For example:
* ``no-pty`` in authorized_keys and ``PermitTTY=no`` in sshd_config
really look and feel like they are equivalent. However, in
monitor.c line 353 only ``auth_opts->permit_pty_flag`` is checked and
``options.permit_tty`` is not.
In contrast, in session.c line 1550 both are checked equivalently.
The patch set was created against
commit 42a7be81bef70c04732f45ec573622effe56b563
of https://github.com/openbsd/src.git
awaiting any feedback on what i could improve with the patches
and with best regards,
Max-Julian Pogner
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
From a5e3634476b37087e2f1862cf66f8ba940c66261 Mon Sep 17 00:00:00 2001
From: Max-Julian Pogner <max-julian@xxxxxxxxx>
Date: Mon, 4 Aug 2025 11:18:41 +0200
Subject: [PATCH 1/3] document that 'no-pty' is identical to 'PermitTTY=no'
---
usr.bin/ssh/sshd.8 | 1 +
1 file changed, 1 insertion(+)
diff --git a/usr.bin/ssh/sshd.8 b/usr.bin/ssh/sshd.8
index ec5a0af777..bcc80396a5 100644
--- a/usr.bin/ssh/sshd.8
+++ b/usr.bin/ssh/sshd.8
@@ -557,6 +557,7 @@ This might be used, e.g. in connection with the
option.
.It Cm no-pty
Prevents tty allocation (a request to allocate a pty will fail).
+Same as sshd_config(5) PermitTTY=no.
.It Cm no-user-rc
Disables execution of
.Pa ~/.ssh/rc .
--
2.39.5
From cfe970e639be1c85a3a1521eec14d853fcd56321 Mon Sep 17 00:00:00 2001
From: Max-Julian Pogner <max-julian@xxxxxxxxx>
Date: Mon, 4 Aug 2025 12:06:58 +0200
Subject: [PATCH 2/3] =?UTF-8?q?document=20that=20command=3D"=E2=80=A6"=20i?=
=?UTF-8?q?s=20identical=20to=20ForceCommand.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
usr.bin/ssh/sshd.8 | 20 +++++++-------------
usr.bin/ssh/sshd_config.5 | 4 ++++
2 files changed, 11 insertions(+), 13 deletions(-)
diff --git a/usr.bin/ssh/sshd.8 b/usr.bin/ssh/sshd.8
index bcc80396a5..7c59b70f73 100644
--- a/usr.bin/ssh/sshd.8
+++ b/usr.bin/ssh/sshd.8
@@ -483,31 +483,25 @@ restrictive union of the two is applied.
.It Cm command="command"
Specifies that the command is executed whenever this key is used for
authentication.
-The command supplied by the user (if any) is ignored.
-The command is run on a pty if the client requests a pty;
-otherwise it is run without a tty.
-If an 8-bit clean channel is required,
-one must not request a pty or should specify
-.Cm no-pty .
A quote may be included in the command by quoting it with a backslash.
+The execution of the command is equivalent to
+.Xr sshd_config 5
+.Cm ForceCommand
+(see there for more details).
.Pp
This option might be useful
to restrict certain public keys to perform just a specific operation.
An example might be a key that permits remote backups but nothing else.
Note that the client may specify TCP and/or X11
-forwarding unless they are explicitly prohibited, e.g. using the
+forwarding, or request a pty, unless they are explicitly prohibited,
+e.g. using the
.Cm restrict
key option.
.Pp
-The command originally supplied by the client is available in the
-.Ev SSH_ORIGINAL_COMMAND
-environment variable.
-Note that this option applies to shell, command or subsystem execution.
-Also note that this command may be superseded by a
+This option may be superseded by a
.Xr sshd_config 5
.Cm ForceCommand
directive.
-.Pp
If a command is specified and a forced-command is embedded in a certificate
used for authentication, then the certificate will be accepted only if the
two commands are identical.
diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5
index 85b098dfe1..dfe138d6f1 100644
--- a/usr.bin/ssh/sshd_config.5
+++ b/usr.bin/ssh/sshd_config.5
@@ -698,6 +698,10 @@ ignoring any command supplied by the client and
if present.
The command is invoked by using the user's login shell with the -c option.
This applies to shell, command, or subsystem execution.
+The command is run on a pty if the client requests a pty;
+otherwise it is run without a tty. If an 8-bit clean channel is required,
+one must not request a pty or should specify
+.Cm PermitTTY=no .
It is most useful inside a
.Cm Match
block.
--
2.39.5
From 66504cd662896c78cb6a6cc3179636f9fc3e08ca Mon Sep 17 00:00:00 2001
From: Max-Julian Pogner <max-julian@xxxxxxxxx>
Date: Mon, 4 Aug 2025 12:14:44 +0200
Subject: [PATCH 3/3] document, that the internal-sftp accepts options same as
sftp-server
---
usr.bin/ssh/sshd_config.5 | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5
index dfe138d6f1..377b9fed70 100644
--- a/usr.bin/ssh/sshd_config.5
+++ b/usr.bin/ssh/sshd_config.5
@@ -712,7 +712,10 @@ Specifying a command of
.Cm internal-sftp
will force the use of an in-process SFTP server that requires no support
files when used with
-.Cm ChrootDirectory .
+.Cm ChrootDirectory ,
+and that does not invoke the user's login shell.
+The in-process SFTP server accepts the same options as the external
+sftp server.
The default is
.Cm none .
.It Cm GatewayPorts
--
2.39.5
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
