Verify that an SSH command has not been embedded in a certificate?

ssh security ssh-keygen openssl

From man 8 sshd with regards to the Authorized Keys File Format and the command="command" option:

Note that this command may be superseded by either an sshd_config(5) ForceCommand directive or a command embedded in a certificate.

Using ssh-keygen -O force-command="command" allows a command to be embedded in a certificate. But how does one verify that a command has not been embedded in a certificate? Along these same lines of preventing unexpected commands from being executed, does ForceCommand always override a command embedded in a certificate?

Can a malicious user bypass a ssh authorized_keys forced command? asks a more general question about security but currently the answers there do not mention commands embedded in certificates.


The ssh-keygen man page says

-O option

        Specify a certificate option when signing a key.

The -O force-command=command option relates to certificates not keys.

You will need to generate a certificate by signing a key, then you should be able to decode the certificate and see the embedded command.

Related

Why does chkdsk take a long time on one particular index?
FRS not replicating C:\WINDOWS\SYSVOL\domain\scripts after non-authoritative restore
Jenkins Linux Slave error: SEVERE: I/O error in channel channel
Cannot register new System Center 2012 Service Manager Data Warehouse after Service Manager database move
How to assign multiple public IP address for 3 KVM guest using a single NIC [closed]
How do I get a public ssh key on a docker jenkins image for git authentication?
Disk size addressable by the OS
vSphere 5.1 U1 Client - "The command has timed out as the remote server is taking too long to respond"
Failing to mount root from ramdisk while PXE boot
FallbackResource in subdirectory
DFSR Backlog Stuck on Non-Existent Folders
SElinux label for php-fpm sockets