From b993bf76c5986e2f1916a72331070b97a53346b4 Mon Sep 17 00:00:00 2001 From: djm Date: Mon, 23 Mar 2026 01:33:46 +0000 Subject: [PATCH] clarify that Authorized(Keys|Principals)(File|Command) are only consulted for valid users. clarify that TOKENS are expanded without sanitisation or escaping and that it's the user's reponsibility to ensure their usage is safe. prompted by bz3936; feedback/ok deraadt@ --- usr.bin/ssh/ssh_config.5 | 13 ++++++++++--- usr.bin/ssh/sshd_config.5 | 17 ++++++++++++++--- 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/usr.bin/ssh/ssh_config.5 b/usr.bin/ssh/ssh_config.5 index c5bf8338d81..b459b044970 100644 --- a/usr.bin/ssh/ssh_config.5 +++ b/usr.bin/ssh/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.422 2026/02/09 22:12:48 dtucker Exp $ -.Dd $Mdocdate: February 9 2026 $ +.\" $OpenBSD: ssh_config.5,v 1.423 2026/03/23 01:33:46 djm Exp $ +.Dd $Mdocdate: March 23 2026 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -2305,7 +2305,14 @@ such as a wildcard: .Dl from=\&"!host1,!host2,*\&" .Sh TOKENS Arguments to some keywords can make use of tokens, -which are expanded at runtime: +which are expanded at runtime. +Tokens are expanded without quoting or escaping of shell characters. +It is the user's responsibility to ensure they are safe in the +context of their use. +.Pp +The supported tokens in +.Nm +are: .Pp .Bl -tag -width XXXX -offset indent -compact .It %% diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index d6022747f21..03c42140ec6 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.395 2026/02/09 22:12:48 dtucker Exp $ -.Dd $Mdocdate: February 9 2026 $ +.\" $OpenBSD: sshd_config.5,v 1.396 2026/03/23 01:33:46 djm Exp $ +.Dd $Mdocdate: March 23 2026 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -260,6 +260,7 @@ files and will not be executed if a matching key is found there. By default, no .Cm AuthorizedKeysCommand is run. +This command is only executed for valid users. .It Cm AuthorizedKeysCommandUser Specifies the user under whose account the .Cm AuthorizedKeysCommand @@ -292,6 +293,7 @@ Alternately this option may be set to to skip checking for user keys in files. The default is .Qq .ssh/authorized_keys .ssh/authorized_keys2 . +These files are only checked for valid users. .It Cm AuthorizedPrincipalsCommand Specifies a program to be used to generate the list of allowed certificate principals as per @@ -318,6 +320,7 @@ must contain a principal that is listed. By default, no .Cm AuthorizedPrincipalsCommand is run. +This command is only executed for valid users. .It Cm AuthorizedPrincipalsCommandUser Specifies the user under whose account the .Cm AuthorizedPrincipalsCommand @@ -359,6 +362,7 @@ The default is i.e. not to use a principals file \(en in this case, the username of the user must appear in a certificate's principals list for it to be accepted. +This file is only checked for valid users. .Pp Note that .Cm AuthorizedPrincipalsFile @@ -2157,7 +2161,14 @@ Time format examples: .El .Sh TOKENS Arguments to some keywords can make use of tokens, -which are expanded at runtime: +which are expanded at runtime. +Tokens are expanded without quoting or escaping of shell characters. +It is the administrator's responsibility to ensure they are safe in the +context of their use. +.Pp +The supported tokens in +.Nm +are: .Pp .Bl -tag -width XXXX -offset indent -compact .It %%