ssh certificate's force_command is lost if there is a force_command in sshd_config
Damien Miller
djm at mindrot.org
Thu Oct 16 09:30:22 AEDT 2025
On Wed, 15 Oct 2025, Cyril Servant wrote:
> Hello,
>
> when a force_command is present in sshd_config _and_ another in an SSH
> certificate, the one in sshd_config is used. This is completely normal and
> expected.
>
> Similarly, the SSH_ORIGINAL_COMMAND environment variable contains the original
> command.
>
> Unfortunately, the value of the command in the certificate is lost.
>
> Do you think it would be possible to add an SSH_CERTIFICATE_COMMAND
> environment variable in this specific case? Indeed, a sysadmin may want to
> take into account the command from the certificate rather than the original
> command.
The sshd_config option ExposeAuthInfo will let you obtain the
certificate after login, and from there you can extract any
included command.
-d
More information about the openssh-unix-dev
mailing list