upstream: clarify that Authorized(Keys|Principals)(File|Command)

are only consulted for valid users.

clarify that TOKENS are expanded without sanitisation or escaping
and that it's the user's reponsibility to ensure their usage is
safe.

prompted by bz3936; feedback/ok deraadt@

OpenBSD-Commit-ID: cd58abad1137346ba2dee55fa9ebb975f5fa7a06

diff --git a/ssh_config.5 b/ssh_config.5
index c5bf8338d813b1b695caf42d04fc24f30ced1190..b459b0449709e84cbe38da17b68642dc4b19b7d0 100644 (file)
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.422 2026/02/09 22:12:48 dtucker Exp $
-.Dd $Mdocdate: February 9 2026 $
+.\" $OpenBSD: ssh_config.5,v 1.423 2026/03/23 01:33:46 djm Exp $
+.Dd $Mdocdate: March 23 2026 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -2305,7 +2305,14 @@ such as a wildcard:
 .Dl from=\&"!host1,!host2,*\&"
 .Sh TOKENS
 Arguments to some keywords can make use of tokens,
-which are expanded at runtime:
+which are expanded at runtime.
+Tokens are expanded without quoting or escaping of shell characters.
+It is the user's responsibility to ensure they are safe in the
+context of their use.
+.Pp
+The supported tokens in
+.Nm
+are:
 .Pp
 .Bl -tag -width XXXX -offset indent -compact
 .It %%

diff --git a/sshd_config.5 b/sshd_config.5
index 3b9303b8218b2f68bc59ebb760e9a95375ca0c4c..5bcec932dde23623546bdc486b4921c9efd558d0 100644 (file)
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.395 2026/02/09 22:12:48 dtucker Exp $
-.Dd $Mdocdate: February 9 2026 $
+.\" $OpenBSD: sshd_config.5,v 1.396 2026/03/23 01:33:46 djm Exp $
+.Dd $Mdocdate: March 23 2026 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -260,6 +260,7 @@ files and will not be executed if a matching key is found there.
 By default, no
 .Cm AuthorizedKeysCommand
 is run.
+This command is only executed for valid users.
 .It Cm AuthorizedKeysCommandUser
 Specifies the user under whose account the
 .Cm AuthorizedKeysCommand
@@ -292,6 +293,7 @@ Alternately this option may be set to
 to skip checking for user keys in files.
 The default is
 .Qq .ssh/authorized_keys .ssh/authorized_keys2 .
+These files are only checked for valid users.
 .It Cm AuthorizedPrincipalsCommand
 Specifies a program to be used to generate the list of allowed
 certificate principals as per
@@ -318,6 +320,7 @@ must contain a principal that is listed.
 By default, no
 .Cm AuthorizedPrincipalsCommand
 is run.
+This command is only executed for valid users.
 .It Cm AuthorizedPrincipalsCommandUser
 Specifies the user under whose account the
 .Cm AuthorizedPrincipalsCommand
@@ -359,6 +362,7 @@ The default is
 i.e. not to use a principals file \(en in this case, the username
 of the user must appear in a certificate's principals list for it to be
 accepted.
+This file is only checked for valid users.
 .Pp
 Note that
 .Cm AuthorizedPrincipalsFile
@@ -2189,7 +2193,14 @@ Time format examples:
 .El
 .Sh TOKENS
 Arguments to some keywords can make use of tokens,
-which are expanded at runtime:
+which are expanded at runtime.
+Tokens are expanded without quoting or escaping of shell characters.
+It is the administrator's responsibility to ensure they are safe in the
+context of their use.
+.Pp
+The supported tokens in
+.Nm
+are:
 .Pp
 .Bl -tag -width XXXX -offset indent -compact
 .It %%