From e706129f8fd6e0b832907ad2fa09648a4781ee5c Mon Sep 17 00:00:00 2001 From: Michael Scherer Date: Tue, 23 Nov 2021 00:36:01 +0100 Subject: [PATCH] Harden authorized keys a bit more sshd(8) list restrict as a future-proof way to restrict feature enabled in ssh. It is supported since OpenSSH 7.2, out since 2016-02-29. OpenSSH will ignore unknown options (see sshauthopt_parse in auth-options.c), so it should be safe to add the option and no-user-rc. --- models/ssh_key_authorized_keys.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/models/ssh_key_authorized_keys.go b/models/ssh_key_authorized_keys.go index ed17a12e9a8a..7843390ffc38 100644 --- a/models/ssh_key_authorized_keys.go +++ b/models/ssh_key_authorized_keys.go @@ -39,7 +39,7 @@ import ( const ( tplCommentPrefix = `# gitea public key` - tplPublicKey = tplCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty %s` + "\n" + tplPublicKey = tplCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict %s` + "\n" ) var sshOpLocker sync.Mutex