From 41248bbab10b5cafe1f6a7bbcf2cdf103c260c56 Mon Sep 17 00:00:00 2001 From: rugk Date: Fri, 23 Jun 2017 14:50:00 +0200 Subject: [PATCH] Add legacy note & normalize order --- docs/deployment/hosting-repositories.rst | 2 +- docs/usage/serve.rst | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/docs/deployment/hosting-repositories.rst b/docs/deployment/hosting-repositories.rst index e502d644f..a44b99414 100644 --- a/docs/deployment/hosting-repositories.rst +++ b/docs/deployment/hosting-repositories.rst @@ -29,7 +29,7 @@ SSH access to safe operations only. :: - restrict,command="borg serve --restrict-to-repository /home//repository" + command="borg serve --restrict-to-repository /home//repository",restrict .. note:: The text shown above needs to be written on a **single** line! diff --git a/docs/usage/serve.rst b/docs/usage/serve.rst index f3a48b585..1753b3392 100644 --- a/docs/usage/serve.rst +++ b/docs/usage/serve.rst @@ -29,3 +29,13 @@ locations like ``/etc/environment`` or in the forced command itself (example bel $ cat ~/.ssh/authorized_keys command="export BORG_XXX=value; borg serve [...]",restrict ssh-rsa [...] +.. note:: + The examples above use the ``restrict`` directive. This does automatically + block potential dangerous ssh features, even when they are added in a future + update. Thus, this option should be prefered. + + If you're using openssh-server < 7.2, however, you have to explicitly specify + the ssh features to restrict and cannot simply use the restrict option as it + has been introduced in v7.2. We recommend to use + ``,no-port-forwarding,no-X11-forwarding,no-pty,no-agent-forwarding,no-user-rc`` + in this case.