From: djm@openbsd.org Date: Mon, 23 Mar 2026 01:33:46 +0000 (+0000) Subject: upstream: clarify that Authorized(Keys|Principals)(File|Command) X-Git-Tag: V_10_3_P1~34 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2ca6eef69d7dbecfd67cede25ea6a9aa1074ba3e;p=thirdparty%2Fopenssh-portable.git upstream: clarify that Authorized(Keys|Principals)(File|Command) are only consulted for valid users. clarify that TOKENS are expanded without sanitisation or escaping and that it's the user's reponsibility to ensure their usage is safe. prompted by bz3936; feedback/ok deraadt@ OpenBSD-Commit-ID: cd58abad1137346ba2dee55fa9ebb975f5fa7a06 --- diff --git a/ssh_config.5 b/ssh_config.5 index c5bf8338d..b459b0449 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.422 2026/02/09 22:12:48 dtucker Exp $ -.Dd $Mdocdate: February 9 2026 $ +.\" $OpenBSD: ssh_config.5,v 1.423 2026/03/23 01:33:46 djm Exp $ +.Dd $Mdocdate: March 23 2026 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -2305,7 +2305,14 @@ such as a wildcard: .Dl from=\&"!host1,!host2,*\&" .Sh TOKENS Arguments to some keywords can make use of tokens, -which are expanded at runtime: +which are expanded at runtime. +Tokens are expanded without quoting or escaping of shell characters. +It is the user's responsibility to ensure they are safe in the +context of their use. +.Pp +The supported tokens in +.Nm +are: .Pp .Bl -tag -width XXXX -offset indent -compact .It %% diff --git a/sshd_config.5 b/sshd_config.5 index 3b9303b82..5bcec932d 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.395 2026/02/09 22:12:48 dtucker Exp $ -.Dd $Mdocdate: February 9 2026 $ +.\" $OpenBSD: sshd_config.5,v 1.396 2026/03/23 01:33:46 djm Exp $ +.Dd $Mdocdate: March 23 2026 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -260,6 +260,7 @@ files and will not be executed if a matching key is found there. By default, no .Cm AuthorizedKeysCommand is run. +This command is only executed for valid users. .It Cm AuthorizedKeysCommandUser Specifies the user under whose account the .Cm AuthorizedKeysCommand @@ -292,6 +293,7 @@ Alternately this option may be set to to skip checking for user keys in files. The default is .Qq .ssh/authorized_keys .ssh/authorized_keys2 . +These files are only checked for valid users. .It Cm AuthorizedPrincipalsCommand Specifies a program to be used to generate the list of allowed certificate principals as per @@ -318,6 +320,7 @@ must contain a principal that is listed. By default, no .Cm AuthorizedPrincipalsCommand is run. +This command is only executed for valid users. .It Cm AuthorizedPrincipalsCommandUser Specifies the user under whose account the .Cm AuthorizedPrincipalsCommand @@ -359,6 +362,7 @@ The default is i.e. not to use a principals file \(en in this case, the username of the user must appear in a certificate's principals list for it to be accepted. +This file is only checked for valid users. .Pp Note that .Cm AuthorizedPrincipalsFile @@ -2189,7 +2193,14 @@ Time format examples: .El .Sh TOKENS Arguments to some keywords can make use of tokens, -which are expanded at runtime: +which are expanded at runtime. +Tokens are expanded without quoting or escaping of shell characters. +It is the administrator's responsibility to ensure they are safe in the +context of their use. +.Pp +The supported tokens in +.Nm +are: .Pp .Bl -tag -width XXXX -offset indent -compact .It %%