upstream commit

When a forced-command appears in both a certificate and an authorized keys/principals command= restriction, refuse to accept the certificate unless they are identical. The previous (documented) behaviour of having the certificate forced- command override the other could be a bit confused and more error-prone. Pointed out by Jann Horn of Project Zero; ok dtucker@ Upstream-ID: 79d811b6eb6bbe1221bf146dde6928f92d2cd05f
author: djm@openbsd.org <djm@openbsd.org> 2016-11-30 02:57:40 +0000
committer: Damien Miller <djm@mindrot.org> 2016-11-30 19:44:01 +1100
commit: fd6dcef2030d23c43f986d26979f84619c10589d (patch)
tree: a9b9d64866a656d5e187f7d63b61e1c1bede5e8f /sshd.8
parent: 7fc4766ac78abae81ee75b22b7550720bfa28a33 (diff)
1 files changed, 13 insertions, 5 deletions
diff --git a/sshd.8 b/sshd.8
index 4cf8fee48..41fc5051a 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.286 2016/08/19 03:18:06 djm Exp $
+.\" $OpenBSD: sshd.8,v 1.287 2016/11/30 02:57:40 djm Exp $
-.Dd $Mdocdate: August 19 2016 $
+.Dd $Mdocdate: November 30 2016 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -481,19 +481,27 @@ If an 8-bit clean channel is required,
 one must not request a pty or should specify
 .Cm no-pty .
 A quote may be included in the command by quoting it with a backslash.
+.Pp
 This option might be useful
 to restrict certain public keys to perform just a specific operation.
 An example might be a key that permits remote backups but nothing else.
 Note that the client may specify TCP and/or X11
-forwarding unless they are explicitly prohibited.
+forwarding unless they are explicitly prohibited, e.g. using the
+.Cm restrict
+key option.
+.Pp
 The command originally supplied by the client is available in the
 .Ev SSH_ORIGINAL_COMMAND
 environment variable.
 Note that this option applies to shell, command or subsystem execution.
-Also note that this command may be superseded by either a
+Also note that this command may be superseded by a
 .Xr sshd_config 5
 .Cm ForceCommand
-directive or a command embedded in a certificate.
+directive.
+.Pp
+If a command is specified and a forced-command is embedded in a certificate
+used for authentication, then the certificate will be accepted only if the
+two commands are identical.
 .It Cm environment="NAME=value"
 Specifies that the string is to be added to the environment when
 logging in using this key.
author	djm@openbsd.org <djm@openbsd.org>	2016-11-30 02:57:40 +0000
committer	Damien Miller <djm@mindrot.org>	2016-11-30 19:44:01 +1100
commit	fd6dcef2030d23c43f986d26979f84619c10589d (patch)
tree	a9b9d64866a656d5e187f7d63b61e1c1bede5e8f /sshd.8
parent	7fc4766ac78abae81ee75b22b7550720bfa28a33 (diff)

diff --git a/sshd.8 b/sshd.8 index 4cf8fee48..41fc5051a 100644 --- a/sshd.8 +++ b/sshd.8
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd.8,v 1.286 2016/08/19 03:18:06 djm Exp $	36	.\" $OpenBSD: sshd.8,v 1.287 2016/11/30 02:57:40 djm Exp $
37	.Dd $Mdocdate: August 19 2016 $	37	.Dd $Mdocdate: November 30 2016 $
38	.Dt SSHD 8	38	.Dt SSHD 8
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -481,19 +481,27 @@ If an 8-bit clean channel is required,
481	one must not request a pty or should specify	481	one must not request a pty or should specify
482	.Cm no-pty .	482	.Cm no-pty .
483	A quote may be included in the command by quoting it with a backslash.	483	A quote may be included in the command by quoting it with a backslash.
		484	.Pp
484	This option might be useful	485	This option might be useful
485	to restrict certain public keys to perform just a specific operation.	486	to restrict certain public keys to perform just a specific operation.
486	An example might be a key that permits remote backups but nothing else.	487	An example might be a key that permits remote backups but nothing else.
487	Note that the client may specify TCP and/or X11	488	Note that the client may specify TCP and/or X11
488	forwarding unless they are explicitly prohibited.	489	forwarding unless they are explicitly prohibited, e.g. using the
		490	.Cm restrict
		491	key option.
		492	.Pp
489	The command originally supplied by the client is available in the	493	The command originally supplied by the client is available in the
490	.Ev SSH_ORIGINAL_COMMAND	494	.Ev SSH_ORIGINAL_COMMAND
491	environment variable.	495	environment variable.
492	Note that this option applies to shell, command or subsystem execution.	496	Note that this option applies to shell, command or subsystem execution.
493	Also note that this command may be superseded by either a	497	Also note that this command may be superseded by a
494	.Xr sshd_config 5	498	.Xr sshd_config 5
495	.Cm ForceCommand	499	.Cm ForceCommand
496	directive or a command embedded in a certificate.	500	directive.
		501	.Pp
		502	If a command is specified and a forced-command is embedded in a certificate
		503	used for authentication, then the certificate will be accepted only if the
		504	two commands are identical.
497	.It Cm environment="NAME=value"	505	.It Cm environment="NAME=value"
498	Specifies that the string is to be added to the environment when	506	Specifies that the string is to be added to the environment when
499	logging in using this key.	507	logging in using this key.