ssh certificate's force_command is lost if there is a force_command in sshd_config
SERVANT Cyril
cyril.servant at cea.fr
Thu Oct 16 18:42:35 AEDT 2025
On 16/10/2025 00:30, Damien Miller wrote:
> On Wed, 15 Oct 2025, Cyril Servant wrote:
>
>> Hello,
>>
>> when a force_command is present in sshd_config _and_ another in an SSH
>> certificate, the one in sshd_config is used. This is completely normal and
>> expected.
>>
>> Similarly, the SSH_ORIGINAL_COMMAND environment variable contains the original
>> command.
>>
>> Unfortunately, the value of the command in the certificate is lost.
>>
>> Do you think it would be possible to add an SSH_CERTIFICATE_COMMAND
>> environment variable in this specific case? Indeed, a sysadmin may want to
>> take into account the command from the certificate rather than the original
>> command.
> The sshd_config option ExposeAuthInfo will let you obtain the
> certificate after login, and from there you can extract any
> included command.
Thank you Damien, and sorry for the fuss.
--
Cyril
More information about the openssh-unix-dev
mailing list