[PATCH] documentation changes for no-pty and force-command
Max-Julian Pogner
max-julian-6mipes72 at pogner.at
Wed Aug 6 21:12:30 AEST 2025
Dear OpenSSH Team,
a new patch set is attached, with:
- fixed the typo
- reworded the «command="…"» section in sshd.8, to make it more clear.
thanks to Brian Candler for feedback.
with best regards,
Max
On 05/08/2025 17:35, Max-Julian Pogner wrote:
> Dear OpenSSH Team,
>
> attached is a small patch set that updates the openssh manual pages.
>
> The changes try to describe more clearly the semantics and implications
> of the ``command="..."`` and ``no-pty`` authorized_keys options and its
> related sshd_config directives ``ForceCommand="..."`` and
> ``PermitTTY=no`` respectively.
>
> As a (Debian) Linux system administrator i recently investigated
> whether my sshd-related configuration could be made more restrictive
> with respect to security. In this process, i found that the description
> of the authorized_keys ``command="..."`` option was not
> describing the possible usage of the magic command ``internal-sftp``,
> and that in this case the user's login shell is not started by sshd
> (e.g. the user could have its login shell set to ``/bin/false`` and
> still the internal sftp server would process sftp requests from the
> client).
>
> The biggest caveat, the elephant in the room so to speak, is the
> question whether the options in the authorized_keys are intended to
> be identical (and not just similar) with regards to their semantics
> and implications to the directives in the sshd_config.
>
> For example:
>
> * ``no-pty`` in authorized_keys and ``PermitTTY=no`` in sshd_config
> really look and feel like they are equivalent. However, in
> monitor.c line 353 only ``auth_opts->permit_pty_flag`` is checked and
> ``options.permit_tty`` is not.
> In contrast, in session.c line 1550 both are checked equivalently.
>
> The patch set was created against
> commit 42a7be81bef70c04732f45ec573622effe56b563
> of https://github.com/openbsd/src.git
>
> awaiting any feedback on what i could improve with the patches
> and with best regards,
>
> Max-Julian Pogner
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-document-that-no-pty-is-identical-to-PermitTTY-no.patch
Type: text/x-patch
Size: 700 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250806/1352be5c/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-document-that-command-is-identical-to-ForceCommand.patch
Type: text/x-patch
Size: 2835 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250806/1352be5c/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-document-that-the-internal-sftp-accepts-options-same.patch
Type: text/x-patch
Size: 904 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250806/1352be5c/attachment-0002.bin>
More information about the openssh-unix-dev
mailing list