Harden authorized keys a bit more (#17772)

sshd(8) list restrict as a future-proof way to restrict feature enabled in ssh. It is supported since OpenSSH 7.2, out since 2016-02-29. OpenSSH will ignore unknown options (see sshauthopt_parse in auth-options.c), so it should be safe to add the option and no-user-rc. Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
go-gitea · Nov 23, 2021 · e595986 · e595986
1 parent a1f5c7b
commit e595986
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/models/ssh_key_authorized_keys.go b/models/ssh_key_authorized_keys.go
@@ -39,7 +39,7 @@ import (
 
 const (
 	tplCommentPrefix = `# gitea public key`
-	tplPublicKey     = tplCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty %s` + "\n"
+	tplPublicKey     = tplCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict %s` + "\n"
 )
 
 var sshOpLocker sync.Mutex