Using Linux and Openssh:
A user can connect using ssh to a server on which his key is in the authorized_keys list. His public key is preceded by command="command..." which forces execution of a specific command (non-shell):
command="/path/to/somescript...",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-user-rc ssh-rsa AAAff...................
- Is there a way that the user can bypass this command?
- What about sftp? Does sftp work when using a forced command (which is not a shell)?
Best Answer
If the allowed command set includes the sftp daemon (or internal-sftp), then SFTP would be allowed. However, if you're setting the forced command in the authorized_keys file and the user had sftp access, without additional work they could replace the file with one not restricted to what you define. This would of course work with any application that the user can instruct to modify that file (intentionally or by tricking it). A better option may be to restrict by user or group within the main sshd_config, possibly with ChrootDirectory.