RE: ForceCommand executes shell



If you only ever want the user account to perform the one function, override their system shell.

example:
oper:x:519:519::/home/oper:/usr/local/bin/oper-only-ever-gets-to-do-this.sh

Regardless of how the account logs in, telnet, ssh, &c they'll only execute that one thing.



________________________________________
From: listbounce@xxxxxxxxxxxxxxxxx [listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Walter de Jong [walter@xxxxxxx]
Sent: Tuesday, April 19, 2011 8:23 AM
To: secureshell@xxxxxxxxxxxxxxxxx
Subject: ForceCommand executes shell

Hi,

I have set up a sshd_config that uses an alternate port number and
ForceCommand to force the execution of a home-made service to our users.

ForceCommand executes the command using 'shell' '-c', and as a result
the user's .bashrc, .tcshrc, .whateverrc is being loaded -- which is
something I was trying to prevent, because I'm trying to "force a
command" upon them. In my case loading a .bashrc can be considered as a
security hole.

Is there any way around this? Maybe a different kind of setup would be
better?
I like using ssh for the service because of its excellent authentication
mechanisms.

I even made a patch to sshd session.c (see below) but I'd rather not
have to maintain local mods to the source.


Greets,

--Walter


void do_child()

/*
argv[0] = (char *) shell0;
argv[1] = "-c";
argv[2] = (char *) command;
argv[3] = NULL;
*/
argv[0] = "/bin/bash";
argv[1] = "--norc";
argv[2] = "--noprofile";
argv[3] = "-c";
argv[4] = (char *)command;
argv[5] = NULL;

execve(shell, argv, env);
perror(shell);
exit(1);


--
*** If you build it, they will come ***

HPC Systems Programmer at SARA Computing and Network Services
People should be able to e-mail me, spambots should not.



Relevant Pages

  • Re: Learning Lisp
    ... I compared VNC to SSH. ... Some programs can work only over VNC or a similar protocol, so I had a chance to compare these approaches. ... Let's say I need to check access rights on file /home/foo/bar.txt on server quux. ... This is what I would call 'doing it myself' -- I think of something, translate it to shell language, type and get results. ...
    (comp.lang.lisp)
  • Re: SFTP is not working
    ... When I try to use sftp or scp2, I get a message like this: ... sftp and scp2 both actually work by running ssh in a subprocess, ... The reason the shell startup files are relevant at all, ...
    (comp.security.ssh)
  • Re: Did you hack into my UNIX server Bible Bob?
    ... But that's not a shell question. ... >> OSX users, should I be using ssh instead of telnet for security? ... OSX as a built in firewall tab. ...
    (comp.unix.shell)
  • Re: "Driving" Linux Command Line from C# ?
    ... the usual Google search. ... Putty is great for manual work, but no API ... would be an SSH utility with an API but if it exists I haven't been ... Just be sure that you are sure about the shell on the ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Execute and lock a user into a program upon login
    ... logs in to the box via SSH, a command is run, and they immediately get ... dropped into the environment that the command produces. ... user is dropped into the application 'vtysh' ... shell drops (ie. user does not have to exit the csh shell to drop the ...
    (freebsd-questions)