|  | @@ -29,3 +29,13 @@ locations like ``/etc/environment`` or in the forced command itself (example bel
 | 
	
		
			
				|  |  |      $ cat ~/.ssh/authorized_keys
 | 
	
		
			
				|  |  |      command="export BORG_XXX=value; borg serve [...]",restrict ssh-rsa [...]
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  | +.. note::
 | 
	
		
			
				|  |  | +    The examples above use the ``restrict`` directive. This does automatically
 | 
	
		
			
				|  |  | +    block potential dangerous ssh features, even when they are added in a future
 | 
	
		
			
				|  |  | +    update. Thus, this option should be prefered.
 | 
	
		
			
				|  |  | +    
 | 
	
		
			
				|  |  | +    If you're using openssh-server < 7.2, however, you have to explicitly specify
 | 
	
		
			
				|  |  | +    the ssh features to restrict and cannot simply use the restrict option as it
 | 
	
		
			
				|  |  | +    has been introduced in v7.2. We recommend to use
 | 
	
		
			
				|  |  | +    ``,no-port-forwarding,no-X11-forwarding,no-pty,no-agent-forwarding,no-user-rc``
 | 
	
		
			
				|  |  | +    in this case.
 |