From man 8 sshd
with regards to the Authorized Keys File Format and the command="command"
option:
Note that this command may be superseded by either an sshd_config(5) ForceCommand directive or a command embedded in a certificate.
Using ssh-keygen -O force-command="command"
allows a command to be embedded in a certificate. But how does one verify that a command has not been embedded in a certificate? Along these same lines of preventing unexpected commands from being executed, does ForceCommand
always override a command embedded in a certificate?
Can a malicious user bypass a ssh authorized_keys forced command? asks a more general question about security but currently the answers there do not mention commands embedded in certificates.