[openssh-commits] [openssh] 02/02: upstream: clarify that Authorized(Keys|Principals)(File|Command)

git+noreply at mindrot.org git+noreply at mindrot.org
Mon Mar 23 12:42:29 AEDT 2026 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 2ca6eef69d7dbecfd67cede25ea6a9aa1074ba3e
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Mon Mar 23 01:33:46 2026 +0000

    upstream: clarify that Authorized(Keys|Principals)(File|Command)
    
    are only consulted for valid users.
    
    clarify that TOKENS are expanded without sanitisation or escaping
    and that it's the user's reponsibility to ensure their usage is
    safe.
    
    prompted by bz3936; feedback/ok deraadt@
    
    OpenBSD-Commit-ID: cd58abad1137346ba2dee55fa9ebb975f5fa7a06
---
 ssh_config.5  | 13 ++++++++++---
 sshd_config.5 | 17 ++++++++++++++---
 2 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/ssh_config.5 b/ssh_config.5
index c5bf8338d..b459b0449 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.422 2026/02/09 22:12:48 dtucker Exp $
-.Dd $Mdocdate: February 9 2026 $
+.\" $OpenBSD: ssh_config.5,v 1.423 2026/03/23 01:33:46 djm Exp $
+.Dd $Mdocdate: March 23 2026 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -2305,7 +2305,14 @@ such as a wildcard:
 .Dl from=\&"!host1,!host2,*\&"
 .Sh TOKENS
 Arguments to some keywords can make use of tokens,
-which are expanded at runtime:
+which are expanded at runtime.
+Tokens are expanded without quoting or escaping of shell characters.
+It is the user's responsibility to ensure they are safe in the
+context of their use.
+.Pp
+The supported tokens in
+.Nm
+are:
 .Pp
 .Bl -tag -width XXXX -offset indent -compact
 .It %%
diff --git a/sshd_config.5 b/sshd_config.5
index 3b9303b82..5bcec932d 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.395 2026/02/09 22:12:48 dtucker Exp $
-.Dd $Mdocdate: February 9 2026 $
+.\" $OpenBSD: sshd_config.5,v 1.396 2026/03/23 01:33:46 djm Exp $
+.Dd $Mdocdate: March 23 2026 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -260,6 +260,7 @@ files and will not be executed if a matching key is found there.
 By default, no
 .Cm AuthorizedKeysCommand
 is run.
+This command is only executed for valid users.
 .It Cm AuthorizedKeysCommandUser
 Specifies the user under whose account the
 .Cm AuthorizedKeysCommand
@@ -292,6 +293,7 @@ Alternately this option may be set to
 to skip checking for user keys in files.
 The default is
 .Qq .ssh/authorized_keys .ssh/authorized_keys2 .
+These files are only checked for valid users.
 .It Cm AuthorizedPrincipalsCommand
 Specifies a program to be used to generate the list of allowed
 certificate principals as per
@@ -318,6 +320,7 @@ must contain a principal that is listed.
 By default, no
 .Cm AuthorizedPrincipalsCommand
 is run.
+This command is only executed for valid users.
 .It Cm AuthorizedPrincipalsCommandUser
 Specifies the user under whose account the
 .Cm AuthorizedPrincipalsCommand
@@ -359,6 +362,7 @@ The default is
 i.e. not to use a principals file \(en in this case, the username
 of the user must appear in a certificate's principals list for it to be
 accepted.
+This file is only checked for valid users.
 .Pp
 Note that
 .Cm AuthorizedPrincipalsFile
@@ -2189,7 +2193,14 @@ Time format examples:
 .El
 .Sh TOKENS
 Arguments to some keywords can make use of tokens,
-which are expanded at runtime:
+which are expanded at runtime.
+Tokens are expanded without quoting or escaping of shell characters.
+It is the administrator's responsibility to ensure they are safe in the
+context of their use.
+.Pp
+The supported tokens in
+.Nm
+are:
 .Pp
 .Bl -tag -width XXXX -offset indent -compact
 .It %%

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list