I'm creating an account for running a single command when connecting with SSH into the router (Archer C7 v2 running OpenWRT 22.03.3, r20028-43d71ad93e). I'm using an authorized_keys file with a line disabling features I do not need for this purpose for security reasons:
I noticed that with no-user-rc my key is not accepted. Even if I just use:
no-user-rc ssh-ed25519 ....
the log in fails with Permission denied (publickey). Removing no-user-rc logging in works.
~/.ssh/rc does not exists, though as far as I understand this should not be a factor. I know, makes no sense to disable it if the file does not exists, but in principle it could be an additional attack vector.
Any idea why this is? Is this a bug in SSH/dropbear, or a feature? Have I misunderstood something in the documentation?
I would say that dropbear simply rejects pubkey entries with options it does not recognize, for security reasons. It's the sensitive thing to do. If you don't recognize an option you can't enforce it, so it's best to refuse authentication completely instead of inadvertently accepting something the administrator presumes to be denied.