From 556eff26b9addd806abc9b4acc6abc90ee30f217 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Mon, 5 Feb 2018 17:29:31 +0100
Subject: [PATCH] Use "restrict" key option for buildd access to upload hosts

---
 .../templates/ssh_upload_buildd-uploader-authorized_keys.erb    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/roles/templates/ssh_upload_buildd-uploader-authorized_keys.erb b/modules/roles/templates/ssh_upload_buildd-uploader-authorized_keys.erb
index 8dccbfb40..ad506d04b 100644
--- a/modules/roles/templates/ssh_upload_buildd-uploader-authorized_keys.erb
+++ b/modules/roles/templates/ssh_upload_buildd-uploader-authorized_keys.erb
@@ -30,7 +30,7 @@ for m in buildds do
     lines << "## no key for node"
   else
     lines << "command=\"/home/buildd-uploader/rsync-ssh-wrap #{m['node'].split('.')[0]}\"," +
-             'no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-user-rc,' +
+             'restrict,' +
              'from="' + m['addr'].join(',') + '" ' +
              m['key']
   end
-- 
2.20.1