[PATCH] documentation changes for no-pty and force-command

Max-Julian Pogner max-julian-6mipes72 at pogner.at
Wed Aug 6 01:35:05 AEST 2025 

Dear OpenSSH Team,

attached is a small patch set that updates the openssh manual pages.

The changes try to describe more clearly the semantics and implications
of the ``command="..."`` and ``no-pty`` authorized_keys options and its 
related sshd_config directives ``ForceCommand="..."`` and
``PermitTTY=no`` respectively.

As a (Debian) Linux system administrator i recently investigated
whether my sshd-related configuration could be made more restrictive
with respect to security. In this process, i found that the description
of the authorized_keys ``command="..."`` option was not
describing the possible usage of the magic command ``internal-sftp``,
and that in this case the user's login shell is not started by sshd
(e.g. the user could have its login shell set to ``/bin/false`` and
still the internal sftp server would process sftp requests from the
client).

The biggest caveat, the elephant in the room so to speak, is the
question whether the options in the authorized_keys are intended to
be identical (and not just similar) with regards to their semantics
and implications to the directives in the sshd_config.

For example:

* ``no-pty`` in authorized_keys and ``PermitTTY=no`` in sshd_config
     really look and feel like they are equivalent. However, in
     monitor.c line 353 only ``auth_opts->permit_pty_flag`` is checked and
     ``options.permit_tty`` is not.
     In contrast, in session.c line 1550 both are checked equivalently.

The patch set was created against
commit 42a7be81bef70c04732f45ec573622effe56b563
of https://github.com/openbsd/src.git

awaiting any feedback on what i could improve with the patches
and with best regards,

Max-Julian Pogner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-document-that-no-pty-is-identical-to-PermitTTY-no.patch
Type: text/x-patch
Size: 700 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250805/61c0d433/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-document-that-command-is-identical-to-ForceCommand.patch
Type: text/x-patch
Size: 2899 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250805/61c0d433/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-document-that-the-internal-sftp-accepts-options-same.patch
Type: text/x-patch
Size: 904 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250805/61c0d433/attachment-0002.bin>

More information about the openssh-unix-dev mailing list