Verify that an SSH command has not been embedded in a certificate?
From man 8 sshd
with regards to the Authorized Keys File Format and the command="command"
option:
Note that this command may be superseded by either an sshd_config(5) ForceCommand directive or a command embedded in a certificate.
Using ssh-keygen -O force-command="command"
allows a command to be embedded in a certificate. But how does one verify that a command has not been embedded in a certificate? Along these same lines of preventing unexpected commands from being executed, does ForceCommand
always override a command embedded in a certificate?
Can a malicious user bypass a ssh authorized_keys forced command? asks a more general question about security but currently the answers there do not mention commands embedded in certificates.
The ssh-keygen man page says
-O option
Specify a certificate option when signing a key.
The -O force-command=command
option relates to certificates not keys.
You will need to generate a certificate by signing a key, then you should be able to decode the certificate and see the embedded command.