O Debian SSH authorized_keys está sendo ignorado

Estou usando o authorized_keys para restringir os comandos utilizáveis para um usuário. O dono do ~ / .ssh e o arquivo é a raiz e definido como

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Isso funcionava muito bem, até que descobri que, em algum momento, o usuário agora pode usar novamente todos os comandos. O arquivo authorized_keys contém:

command="mysql -u arg1 -p arg2",no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa public_key

Eu não sei o que estou fazendo errado, também tentei no modo de depuração e verifiquei os logs. Mas ele simplesmente permite todos os comandos.

O login do usuário deve ser somente senha, portanto, nenhum sistema chave.

Log de depuração:

Connection from XX.XX.XX.XXX port 26048
debug1: Client protocol version 2.0; client software version PuTTY_Release_0.63
debug1: no match: PuTTY_Release_0.63
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
debug1: permanently_set_uid: 103/65534 [preauth]
debug1: list_hostkey_types: ssh-rsa,ssh-dss [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: client->server aes256-ctr hmac-sha2-256 none [preauth]
debug1: kex: server->client aes256-ctr hmac-sha2-256 none [preauth]
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received [preauth]
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user restricteduser service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: PAM: initializing for "restricteduser"
debug1: PAM: setting PAM_RHOST to "XXX.XXXX.XXXXXXXX.XX"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user restricteduser service ssh-connection method password [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: PAM: password authentication accepted for restricteduser
debug1: do_pam_account: called
Accepted password for restricteduser from XX.XX.XX.XXX port 26048 ssh2
debug1: monitor_read_log: child log fd closed
debug1: monitor_child_preauth: restricteduser has been authenticated by privileged process
debug1: PAM: establishing credentials
User child is on pid 24137
debug1: SELinux support disabled
debug1: PAM: establishing credentials
debug1: permanently_set_uid: 2001/2001
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 256 win 16384 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_new: session 0
debug1: SELinux support disabled
debug1: session_pty_req: session 0 alloc /dev/pts/11
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: Setting controlling tty using TIOCSCTTY.
debug1: server_input_channel_req: channel 0 request [email protected] reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req [email protected]

Atenciosamente ProcTrap