Question about restrict option behavior and override precedence
Brian Candler
b.candler at pobox.com
Thu Apr 9 01:40:38 AEST 2026
On 08/04/2026 16:29, bishnu sahu wrote:
> I was reviewing auth-options.c and noticed that the "restrict" option sets
> multiple flags, but subsequent options (e.g. "pty") appear to override
> these restrictions.
>
> For example:
> restrict,pty
>
> This results in restricted mode being set, but pty still being permitted.
>
> I wanted to understand whether this behavior is intentional (i.e.
> last-option-wins), or if restrict is expected to act as a stronger
> constraint.
It's intentional, and documented as such. The sshd(8) manpage does say:
agent-forwarding
Enable authentication agent forwarding previously disabled
by the restrict option.
...
port-forwarding
Enable port forwarding previously disabled by the restrict
option.
...
pty Permits tty allocation previously disabled by the restrict
option.
...
user-rc
Enables execution of ~/.ssh/rc previously disabled by the
restrict option.
X11-forwarding
Permits X11 forwarding previously disabled by the restrict
option.
and gives this example:
# Override of restriction to allow PTY allocation
restrict,pty,command="nethack" ssh-rsa ...
More information about the openssh-unix-dev
mailing list