openssh bugs - Nov 2021 - [Bug 3361] New: document that SessionType none prevents e.g. execution of authorized_keys’ command=

https://bugzilla.mindrot.org/show_bug.cgi?id=3361

            Bug ID: 3361
           Summary: document that SessionType none prevents e.g. execution
                    of authorized_keys? command           Product: Portable
OpenSSH
           Version: 8.7p1
          Hardware: Other
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Documentation
          Assignee: unassigned-bugs at mindrot.org
          Reporter: calestyo at scientia.org

Hey.

It seems that when "SessionType none" one does not only get no
interactive login (as the novice user might assume), but also any
commands specified for execution on the remote side, like
authorized_keys? command= feature aren't invoked.

Perhaps it's worth to mention that briefly in the manpage.

Cheers,
Chris.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3361

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
This is the current description in the manpage:
> SessionType
>     May be used to either request invocation of a subsystem on the
>     remote system, or to prevent the execution of a remote command at
>     all.  The latter is useful for just forwarding ports.  The argu?
>     ment to this keyword must be *none* (same as the -N option),
>     *subsystem* (same as the -s option) or *default* (shell or command
>     execution).
IMO this is pretty clear already - the first sentence mentions the
behaviour of blocking all shell/command execution and the third
describes which does which.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3361

--- Comment #2 from Christoph Anton Mitterer <calestyo at scientia.org>
---
Well, but you're a core OpenSSH developer, knowing the code at it's
heart ;-)

For an admin/end-user it may easily be not that obvious, given that the
command is already specified on the server (and not via the client) and
especially given that the connecting client has no choice in overriding
that command.

Anyway, was just a suggestion.

Feel free to close if you think it's not necessary.

Cheers,
Chris.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3361

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WONTFIX
             Status|NEW                         |RESOLVED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
IMO the current documentation is fine

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.