Closed calestyo closed 1 year ago
Thanks, merged with some rewording in: af2d7b2, 1287547
Not sure whether we can really use restrict … is anything in btrbk requiring PTY allocation on the SSH server?
It should work. I usually explicitely set no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding
in authorized_keys
, which according to ssh(8) is exactly what restrict
does:
# man sshd
restrict
Enable all restrictions, i.e. disable port, agent and X11 for‐
warding, as well as disabling PTY allocation and execution of
~/.ssh/rc. If any future restriction capabilities are added to
authorized_keys files, they will be included in this set.
Thanks .:-)
btw: There's another place where one could in principle add the restrict
:
https://github.com/digint/btrbk/blob/af2d7b2c99bac7c5af2f9b2c5f0b1947be525597/README.md?plain=1#L480
Though I didn't do it with my commit, as that line seemed to be more about just IP addresses.
btw:
I personally don't think that restricting the IP gives really a lot benefit (it's far easier to spoof an IP than to hack a SSH key... so only if sshd
would allow password based login or so... it would IMO make sense.
So I personally would rather emphasis that people use ssh_filter_btrbk.sh
which I think gives really a lot.
Hey.
Again some proposals.
Not sure whether we can really use
restrict
… is anything inbtrbk
requiring PTY allocation on the SSH server?Cheers, Chris.