It would be helpful if the documentation gave a more complete description of how the shell is selected to run commands. Recently, the sshd man page added documentation that sshrc commands are run by sh, and not the user shell. There are still some other things that could use more detail. For example, sshd never uses the SHELL environment variable, but ssh-agent does. I think it should be stated that commands are always run under the shell defined by getpw(), including commands for ssh_config keys with the "command=" option.

This came up when trying to set up an ssh key to allow remote execution of a pre-defined task using the "command=" feature. I also wanted to disable logins for that account, so it could only be used to invoke that specific task. Obviously, setting the shell to /sbin/nologin didn't work. However, searching for ways to achieve this, I found that it is not uncommon for people to assume that commands are run as if by system(). In most cases, perhaps it should be obvious that a "remote shell" always runs commands under the account's shell, but I think this should be clarified at least for the "command=" feature. Consider a situation where an ssh-key is defined to invoke a specific task, but a user figures out a way to change the account shell in a way that affects the access allowed by that ssh key.

It's not a major issue, but I think its worth including a few extra sentences so that you don't have to read the source code just to figure out the details of how commands are run.