Harden authorized keys a bit more (#17772)

sshd(8) list restrict as a future-proof way to restrict feature
enabled in ssh. It is supported since OpenSSH 7.2, out since
2016-02-29.

OpenSSH will ignore unknown options (see sshauthopt_parse in
auth-options.c), so it should be safe to add the option and
no-user-rc.

Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
tokarchuk/v1.17
mscherer 3 years ago committed by GitHub
parent a1f5c7bfce
commit e595986458
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 2
      models/ssh_key_authorized_keys.go

@ -39,7 +39,7 @@ import (
const ( const (
tplCommentPrefix = `# gitea public key` tplCommentPrefix = `# gitea public key`
tplPublicKey = tplCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty %s` + "\n" tplPublicKey = tplCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict %s` + "\n"
) )
var sshOpLocker sync.Mutex var sshOpLocker sync.Mutex

Loading…
Cancel
Save