Question about restrict option behavior and override precedence
bishnu sahu
mebishnusahu at gmail.com
Thu Apr 9 10:58:40 AEST 2026
Thanks, I'll look into it.
On Wed, Apr 8, 2026 at 9:10 PM Brian Candler <b.candler at pobox.com> wrote:
> On 08/04/2026 16:29, bishnu sahu wrote:
> > I was reviewing auth-options.c and noticed that the "restrict" option
> sets
> > multiple flags, but subsequent options (e.g. "pty") appear to override
> > these restrictions.
> >
> > For example:
> > restrict,pty
> >
> > This results in restricted mode being set, but pty still being permitted.
> >
> > I wanted to understand whether this behavior is intentional (i.e.
> > last-option-wins), or if restrict is expected to act as a stronger
> > constraint.
>
> It's intentional, and documented as such. The sshd(8) manpage does say:
>
> agent-forwarding
> Enable authentication agent forwarding previously disabled
> by the restrict option.
>
> ...
>
> port-forwarding
> Enable port forwarding previously disabled by the restrict
> option.
>
> ...
>
> pty Permits tty allocation previously disabled by the restrict
> option.
>
> ...
>
> user-rc
> Enables execution of ~/.ssh/rc previously disabled by the
> restrict option.
>
> X11-forwarding
> Permits X11 forwarding previously disabled by the restrict
> option.
>
> and gives this example:
>
> # Override of restriction to allow PTY allocation
> restrict,pty,command="nethack" ssh-rsa ...
>
>
>
More information about the openssh-unix-dev
mailing list