Improve ssh examples

[calestyo]

Hey.

Again some proposals.

Not sure whether we can really use restrict … is anything in btrbk requiring PTY allocation on the SSH server?

Cheers, Chris.

[digint]

Thanks, merged with some rewording in: af2d7b2, 1287547

Not sure whether we can really use restrict … is anything in btrbk requiring PTY allocation on the SSH server?

It should work. I usually explicitely set no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding in authorized_keys, which according to ssh(8) is exactly what restrict does:

# man sshd
restrict
        Enable all restrictions, i.e. disable port, agent and X11 for‐
        warding, as well as disabling PTY allocation and execution of
        ~/.ssh/rc.  If any future restriction capabilities are added to
        authorized_keys files, they will be included in this set.

[calestyo]

Thanks .:-)

[calestyo]

btw: There's another place where one could in principle add the restrict: https://github.com/digint/btrbk/blob/af2d7b2c99bac7c5af2f9b2c5f0b1947be525597/README.md?plain=1#L480

Though I didn't do it with my commit, as that line seemed to be more about just IP addresses.

btw: I personally don't think that restricting the IP gives really a lot benefit (it's far easier to spoof an IP than to hack a SSH key... so only if sshd would allow password based login or so... it would IMO make sense.

So I personally would rather emphasis that people use ssh_filter_btrbk.sh which I think gives really a lot.