Harden authorized keys a bit more (#17772)
sshd(8) list restrict as a future-proof way to restrict feature enabled in ssh. It is supported since OpenSSH 7.2, out since 2016-02-29. OpenSSH will ignore unknown options (see sshauthopt_parse in auth-options.c), so it should be safe to add the option and no-user-rc. Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
This commit is contained in:
parent
a1f5c7bfce
commit
e595986458
1 changed files with 1 additions and 1 deletions
|
@ -39,7 +39,7 @@ import (
|
|||
|
||||
const (
|
||||
tplCommentPrefix = `# gitea public key`
|
||||
tplPublicKey = tplCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty %s` + "\n"
|
||||
tplPublicKey = tplCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict %s` + "\n"
|
||||
)
|
||||
|
||||
var sshOpLocker sync.Mutex
|
||||
|
|
Reference in a new issue