Re: How to stop remote commands and allow ONLY interactive login sessions?



On Jun 26, 8:20 am, Simon Tatham <ana...@xxxxxxxxx> wrote:
BenRussoUSA  <ben.ru...@xxxxxxxxx> wrote:
Is there any way for OpenSSHD to allow interactive logins, but disable
remote commands?  I want users to be allowed to login and
interactively use a shell.
But I don't want them to be able to fire and forget a command.

Even if there was a way to conveniently do this (e.g. hack OpenSSH
so as to disable the "exec" request while still permitting "shell",
or set the user's shell to a program which execs the real shell if
invoked with no arguments but bombs out if passed '-c'), what would
it gain you? A user who wanted to automate a command on such a
system would only have to wrap an interactive ssh login with a
program such as expect(1), and they'd be able to run anything as an
automated job that they could do at the interactive shell prompt.
--
Simon Tatham         "What a caterpillar calls the end of the
<ana...@xxxxxxxxx>    world, a human calls a butterfly."

Oh, I can see why he'd want it. The ability to fire off tasks
remotely, without an interactive session, means that any SSH key or
'expect with password' tool can fire off dozens, hundreds, even
thousands of SSH tasks without any accomponaying user to yell at,
sending unattended jobs from anywhere the sessions are expected from.
I've seen just this sort of thing from badly written remote task
scripts, or worse yet monitoring scripts. (Don't get me started on
Sitescope's use of SSH right now. Just.... don't.)
.



Relevant Pages

  • Re: Announcing Viewglob 2.0
    ... It tracks the command line and environment of any number ... > of interactive shells (local and remote). ... > - Sharing a single display between multiple terminals ... > I have a great appreciation for the Unix shell - I'm of the ...
    (comp.unix.shell)
  • Re: waitFor and return (very strange)
    ... > rsh started by command line or java.Must i set an hide variable? ... treated differently by the remote shell. ...
    (comp.lang.java.programmer)
  • How to fetch process output incrementally?
    ... * Log in to a remote host using ssh, telnet, ssl-telnet, or something ... then look if the command has produced some output. ... fetch the stdout and stderr output. ... to a Bourne-ish shell on the remote end (my program does "exec ...
    (comp.unix.shell)
  • Announcing Viewglob 2.0
    ... Viewglob is a filesystem visualization add-on for Bash and Zsh. ... shells (local and remote). ... Since the draw of the command line is the ability to do things quickly ... I have a great appreciation for the Unix shell - I'm of the opinion ...
    (comp.unix.shell)
  • Bash-4.0 available for FTP
    ... Unlike previous bash distributions, this tar file includes the formatted ... The shell has been changed to be more ... rigorous about parsing commands inside command substitutions, ... Changes have been made to the Readline library being released at ...
    (gnu.announce)