diff options
author | mscherer <mscherer@users.noreply.github.com> | 2021-11-23 03:44:26 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-11-22 21:44:26 -0500 |
commit | e595986458e24ff0e490d79bd7569672a563f1cd (patch) | |
tree | 33cb5abc127f6ea187d65bb3e7725c27f47f7aaa /models | |
parent | a1f5c7bfce6af221930df8c417057ca7946c810e (diff) | |
download | gitea-e595986458e24ff0e490d79bd7569672a563f1cd.tar.gz gitea-e595986458e24ff0e490d79bd7569672a563f1cd.zip |
Harden authorized keys a bit more (#17772)
sshd(8) list restrict as a future-proof way to restrict feature
enabled in ssh. It is supported since OpenSSH 7.2, out since
2016-02-29.
OpenSSH will ignore unknown options (see sshauthopt_parse in
auth-options.c), so it should be safe to add the option and
no-user-rc.
Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Diffstat (limited to 'models')
-rw-r--r-- | models/ssh_key_authorized_keys.go | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/models/ssh_key_authorized_keys.go b/models/ssh_key_authorized_keys.go index ed17a12e9a..7843390ffc 100644 --- a/models/ssh_key_authorized_keys.go +++ b/models/ssh_key_authorized_keys.go @@ -39,7 +39,7 @@ import ( const ( tplCommentPrefix = `# gitea public key` - tplPublicKey = tplCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty %s` + "\n" + tplPublicKey = tplCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict %s` + "\n" ) var sshOpLocker sync.Mutex |