From e595986458e24ff0e490d79bd7569672a563f1cd Mon Sep 17 00:00:00 2001
From: mscherer <mscherer@users.noreply.github.com>
Date: Tue, 23 Nov 2021 03:44:26 +0100
Subject: [PATCH] Harden authorized keys a bit more (#17772)

sshd(8) list restrict as a future-proof way to restrict feature
enabled in ssh. It is supported since OpenSSH 7.2, out since
2016-02-29.

OpenSSH will ignore unknown options (see sshauthopt_parse in
auth-options.c), so it should be safe to add the option and
no-user-rc.

Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
---
 models/ssh_key_authorized_keys.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/models/ssh_key_authorized_keys.go b/models/ssh_key_authorized_keys.go
index ed17a12e9a..7843390ffc 100644
--- a/models/ssh_key_authorized_keys.go
+++ b/models/ssh_key_authorized_keys.go
@@ -39,7 +39,7 @@ import (
 
 const (
 	tplCommentPrefix = `# gitea public key`
-	tplPublicKey     = tplCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty %s` + "\n"
+	tplPublicKey     = tplCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict %s` + "\n"
 )
 
 var sshOpLocker sync.Mutex