Max-Julian Pogner
2025-Aug-05 15:35 UTC
[PATCH] documentation changes for no-pty and force-command
Dear OpenSSH Team,
attached is a small patch set that updates the openssh manual pages.
The changes try to describe more clearly the semantics and implications
of the ``command="..."`` and ``no-pty`` authorized_keys options and
its
related sshd_config directives ``ForceCommand="..."`` and
``PermitTTY=no`` respectively.
As a (Debian) Linux system administrator i recently investigated
whether my sshd-related configuration could be made more restrictive
with respect to security. In this process, i found that the description
of the authorized_keys ``command="..."`` option was not
describing the possible usage of the magic command ``internal-sftp``,
and that in this case the user's login shell is not started by sshd
(e.g. the user could have its login shell set to ``/bin/false`` and
still the internal sftp server would process sftp requests from the
client).
The biggest caveat, the elephant in the room so to speak, is the
question whether the options in the authorized_keys are intended to
be identical (and not just similar) with regards to their semantics
and implications to the directives in the sshd_config.
For example:
* ``no-pty`` in authorized_keys and ``PermitTTY=no`` in sshd_config
really look and feel like they are equivalent. However, in
monitor.c line 353 only ``auth_opts->permit_pty_flag`` is checked and
``options.permit_tty`` is not.
In contrast, in session.c line 1550 both are checked equivalently.
The patch set was created against
commit 42a7be81bef70c04732f45ec573622effe56b563
of https://github.com/openbsd/src.git
awaiting any feedback on what i could improve with the patches
and with best regards,
Max-Julian Pogner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-document-that-no-pty-is-identical-to-PermitTTY-no.patch
Type: text/x-patch
Size: 700 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250805/61c0d433/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-document-that-command-is-identical-to-ForceCommand.patch
Type: text/x-patch
Size: 2899 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250805/61c0d433/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-document-that-the-internal-sftp-accepts-options-same.patch
Type: text/x-patch
Size: 904 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250805/61c0d433/attachment-0002.bin>
Max-Julian Pogner
2025-Aug-06 11:12 UTC
[PATCH] documentation changes for no-pty and force-command
Dear OpenSSH Team, a new patch set is attached, with: - fixed the typo - reworded the ?command="?"? section in sshd.8, to make it more clear. thanks to Brian Candler for feedback. with best regards, Max On 05/08/2025 17:35, Max-Julian Pogner wrote:> Dear OpenSSH Team, > > attached is a small patch set that updates the openssh manual pages. > > The changes try to describe more clearly the semantics and implications > of the ``command="..."`` and ``no-pty`` authorized_keys options and its > related sshd_config directives ``ForceCommand="..."`` and > ``PermitTTY=no`` respectively. > > As a (Debian) Linux system administrator i recently investigated > whether my sshd-related configuration could be made more restrictive > with respect to security. In this process, i found that the description > of the authorized_keys ``command="..."`` option was not > describing the possible usage of the magic command ``internal-sftp``, > and that in this case the user's login shell is not started by sshd > (e.g. the user could have its login shell set to ``/bin/false`` and > still the internal sftp server would process sftp requests from the > client). > > The biggest caveat, the elephant in the room so to speak, is the > question whether the options in the authorized_keys are intended to > be identical (and not just similar) with regards to their semantics > and implications to the directives in the sshd_config. > > For example: > > * ``no-pty`` in authorized_keys and ``PermitTTY=no`` in sshd_config > ??? really look and feel like they are equivalent. However, in > ??? monitor.c line 353 only ``auth_opts->permit_pty_flag`` is checked and > ??? ``options.permit_tty`` is not. > ??? In contrast, in session.c line 1550 both are checked equivalently. > > The patch set was created against > commit 42a7be81bef70c04732f45ec573622effe56b563 > of https://github.com/openbsd/src.git > > awaiting any feedback on what i could improve with the patches > and with best regards, > > Max-Julian Pogner > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-document-that-no-pty-is-identical-to-PermitTTY-no.patch Type: text/x-patch Size: 700 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250806/1352be5c/attachment.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-document-that-command-is-identical-to-ForceCommand.patch Type: text/x-patch Size: 2835 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250806/1352be5c/attachment-0001.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-document-that-the-internal-sftp-accepts-options-same.patch Type: text/x-patch Size: 904 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250806/1352be5c/attachment-0002.bin>