Harden authorized keys a bit more (#17772)

mscherer · zeripath · techknowlogick · web-flow · commit e595986458e2 · 2021-11-22T21:44:26.000-05:00
sshd(8) list restrict as a future-proof way to restrict feature
enabled in ssh. It is supported since OpenSSH 7.2, out since
2016-02-29.

OpenSSH will ignore unknown options (see sshauthopt_parse in
auth-options.c), so it should be safe to add the option and
no-user-rc.

Co-authored-by: zeripath &lt;art27@cantab.net&gt;
Co-authored-by: techknowlogick &lt;techknowlogick@gitea.io&gt;
diff --git a/models/ssh_key_authorized_keys.go b/models/ssh_key_authorized_keys.go
@@ -39,7 +39,7 @@ import (
 
 const (
 	tplCommentPrefix = `# gitea public key`
-	tplPublicKey     = tplCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty %s` + "\n"
+	tplPublicKey     = tplCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict %s` + "\n"
 )
 
 var sshOpLocker sync.Mutex

Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,7 @@ import (`
`39`	`39`
`40`	`40`	`const (`
`41`	`41`	tplCommentPrefix = `# gitea public key`
`42`		- tplPublicKey = tplCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty %s` + "\n"
	`42`	+ tplPublicKey = tplCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict %s` + "\n"
`43`	`43`	`)`
`44`	`44`
`45`	`45`	`var sshOpLocker sync.Mutex`