docs about borg serve's special support for forced/original ssh commands, fixes #544

docs/deployment.rst

@@ -69,10 +69,9 @@ forced command and restrictions applied as shown below:
 
 The options which are added to the key will perform the following:
 
-1. Force command on the ssh key and don't allow any other command to run
-2. Change working directory
-3. Run ``borg serve`` restricted at the client base path
-4. Restrict ssh and do not allow stuff which imposes a security risk
+1. Change working directory
+2. Run ``borg serve`` restricted to the client base path
+3. Restrict ssh and do not allow stuff which imposes a security risk
 
 Due to the ``cd`` command we use, the server automatically changes the current
 working directory. Then client doesn't need to have knowledge of the absolute

docs/usage.rst

@@ -426,6 +426,15 @@ Examples
 
 Examples
 ~~~~~~~~
+
+borg serve has special support for ssh forced commands (see ``authorized_keys``
+example below): it will detect that you use such a forced command and extract
+the value of the ``--restrict-to-path`` option(s).
+It will then parse the original command that came from the client, makes sure
+that it is also ``borg serve`` and enforce path restriction(s) as given by the
+forced command. That way, other options given by the client (like ``--info`` or
+``--umask``) are preserved (and are not fixed by the forced command).
+
 ::
 
     # Allow an SSH keypair to only run borg, and only have access to /mnt/backup.