Hey. It seems that when "SessionType none" one does not only get no interactive login (as the novice user might assume), but also any commands specified for execution on the remote side, like authorized_keys’ command= feature aren't invoked. Perhaps it's worth to mention that briefly in the manpage. Cheers, Chris.
This is the current description in the manpage: > SessionType > May be used to either request invocation of a subsystem on the > remote system, or to prevent the execution of a remote command at > all. The latter is useful for just forwarding ports. The argu‐ > ment to this keyword must be *none* (same as the -N option), > *subsystem* (same as the -s option) or *default* (shell or command > execution). IMO this is pretty clear already - the first sentence mentions the behaviour of blocking all shell/command execution and the third describes which does which.
Well, but you're a core OpenSSH developer, knowing the code at it's heart ;-) For an admin/end-user it may easily be not that obvious, given that the command is already specified on the server (and not via the client) and especially given that the connecting client has no choice in overriding that command. Anyway, was just a suggestion. Feel free to close if you think it's not necessary. Cheers, Chris.