Harden authorized keys a bit more (#17772)

sshd(8) list restrict as a future-proof way to restrict feature enabled in ssh. It is supported since OpenSSH 7.2, out since 2016-02-29. OpenSSH will ignore unknown options (see sshauthopt_parse in auth-options.c), so it should be safe to add the option and no-user-rc. Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2021-11-23 03:44:26 +01:00 · 2021-11-23 03:44:26 +01:00 · e595986458
commit e595986458
parent a1f5c7bfce
1 changed files with 1 additions and 1 deletions
--- a/models/ssh_key_authorized_keys.go
+++ b/models/ssh_key_authorized_keys.go
@ -39,7 +39,7 @@ import (

 const (
 	tplCommentPrefix = `# gitea public key`
-	tplPublicKey     = tplCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty %s` + "\n"
+	tplPublicKey     = tplCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict %s` + "\n"
 )

 var sshOpLocker sync.Mutex