[openssh-commits] [openssh] 02/03: upstream: There is a warning next to the authorized_keys command=""

[git+noreply at mindrot.org]

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit a1e37f0998ed5027f6c8dd30befb379ea2cac95b
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Mon Dec 8 00:44:16 2025 +0000

    upstream: There is a warning next to the authorized_keys command=""
    
    flag that forcing a command doesn't automatically disable forwarding. Add one
    next to the sshd_config(5) ForceCommand directive too.
    
    feedback deraadt@
    
    OpenBSD-Commit-ID: bfe38b4d3cfbadbb8bafe38bc256f5a17a0ee75c
---
 sshd_config.5 | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/sshd_config.5 b/sshd_config.5
index 1b01415cb..361af6488 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.386 2025/11/25 01:14:33 djm Exp $
-.Dd $Mdocdate: November 25 2025 $
+.\" $OpenBSD: sshd_config.5,v 1.387 2025/12/08 00:44:16 djm Exp $
+.Dd $Mdocdate: December 8 2025 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -710,6 +710,15 @@ files when used with
 .Cm ChrootDirectory .
 The default is
 .Cm none .
+.Pp
+This directive does not limit other kinds of access that a
+client may request via their connection, such as TCP, agent, socket or
+X11 forwarding.
+If these are not desired, then they must be explicitly disabled, either
+individually via their respective options or all together using the
+.Cm DisableForwarding
+option.
+.Cm 
 .It Cm GatewayPorts
 Specifies whether remote hosts are allowed to connect to ports
 forwarded for the client.

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.