https://bugzilla.mindrot.org/show_bug.cgi?id=2276
--- Comment #9 from Alon Bar-Lev <[email protected]> --- (In reply to Damien Miller from comment #8) > The idea is to prevent the _target_ user from modifying > AuthorizedUsersCommand, not the user who starts sshd. > > If the user can start sshd, then they can hardly do more damage by > running AuthorizedUsersCommand... I understand. But fortunately, sshd can also run under non root account that have no special permissions nor can switch user. This is very useful for git or backup usages in which one wants to completely isolate the remote. In this use case, running sshd under git user, will enable access the machine using git@host, while authenticating based on authorized keys command, this works perfectly. The only missing bit is to enable this command to be owned by different account than root. Owning it by the user started sshd in this case is the same as owning as the _target_ user. This is why I added a configuration option. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
