Simplify the authorized_keys restrictions

pkern · pkern · commit 6b5cb02ed796 · 2024-11-16T23:52:57.000+01:00
Just use "restrict" instead of listing all restrictions under the sun.

h/t to robryk for the suggestion
diff --git a/README.md b/README.md
@@ -71,8 +71,8 @@ In the above setup, the CA runs as user `sshca` on host `cahost.example.com`.
 `authorized_keys` would look like this:
 
 ```
-command="/path/to/sshca run user",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc sk-ssh-ed25519@openssh.com [...]
-command="/path/to/sshca run anotheruser",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc sk-ssh-ed25519@openssh.com [...]
+command="/path/to/sshca run user",restrict sk-ssh-ed25519@openssh.com [...]
+command="/path/to/sshca run anotheruser",restrict sk-ssh-ed25519@openssh.com [...]
 ```
 
 The CA expects the location of the signing key in `~/.sshca.toml`:
diff --git a/cmd/root.go b/cmd/root.go
@@ -31,7 +31,7 @@ var rootCmd = &cobra.Command{
 certificates to users. It is commonly used like this in authorized_keys
 of a role account:
 
-no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="sshca run <username>" ssh-rsa [...]
+restrict,command="sshca run <username>" ssh-rsa [...]
 
 It will take a JSON-encoded request on stdin and output a JSON structure
 containing a certificate to stdout.`,
