Cyril Servant
2025-Oct-15 12:43 UTC
ssh certificate's force_command is lost if there is a force_command in sshd_config
Hello, when a force_command is present in sshd_config _and_ another in an SSH certificate, the one in sshd_config is used. This is completely normal and expected. Similarly, the SSH_ORIGINAL_COMMAND environment variable contains the original command. Unfortunately, the value of the command in the certificate is lost. Do you think it would be possible to add an SSH_CERTIFICATE_COMMAND environment variable in this specific case? Indeed, a sysadmin may want to take into account the command from the certificate rather than the original command. Thank you, -- Cyril
Damien Miller
2025-Oct-15 22:30 UTC
ssh certificate's force_command is lost if there is a force_command in sshd_config
On Wed, 15 Oct 2025, Cyril Servant wrote:> Hello, > > when a force_command is present in sshd_config _and_ another in an SSH > certificate, the one in sshd_config is used. This is completely normal and > expected. > > Similarly, the SSH_ORIGINAL_COMMAND environment variable contains the original > command. > > Unfortunately, the value of the command in the certificate is lost. > > Do you think it would be possible to add an SSH_CERTIFICATE_COMMAND > environment variable in this specific case? Indeed, a sysadmin may want to > take into account the command from the certificate rather than the original > command.The sshd_config option ExposeAuthInfo will let you obtain the certificate after login, and from there you can extract any included command. -d