Can a malicious user bypass a ssh authorized_keys forced command?

Using Linux and Openssh:

A user can connect using ssh to a server on which his key is in the authorized_keys list. His public key is preceded by command="command..." which forces execution of a specific command (non-shell):

command="/path/to/somescript...",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-user-rc ssh-rsa AAAff...................

• Is there a way that the user can bypass this command?
• What about sftp? Does sftp work when using a forced command (which is not a shell)?

If the allowed command set includes the sftp daemon (or internal-sftp), then SFTP would be allowed. However, if you're setting the forced command in the authorized_keys file and the user had sftp access, without additional work they could replace the file with one not restricted to what you define. This would of course work with any application that the user can instruct to modify that file (intentionally or by tricking it). A better option may be to restrict by user or group within the main sshd_config, possibly with ChrootDirectory.

The most common threat comes from allowing them to use a command is capable of doing things the admin hadn't thought about. For example, CVS and SVN allow for pre/post commit scripts to run. If a user can modify a post-commit script, he can run his own commands.

you can set an attribute using chattr on the .ssh folder and the authorized_keys file after you have made the required entries to the authorized_keys file, so this way nobody will be able to make any changes or even overwrite the .ssh folder or even the authorized_keys file.

you can do a recursive chattr:

chattr -R +i .ssh