Disabling ForceCommand in a Match block

This is a discussion on Disabling ForceCommand in a Match block within the OpenSSH Development forums, part of the Networking and Network Related category; This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===============0217829181== Content-Type: multipart/signed; micalg=pgp-sha1; protocol=&...


Go Back   Usenet Forums > Networking and Network Related > OpenSSH Development

Reload this Page Disabling ForceCommand in a Match block

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 05-16-2007
Remy Blank
 
Posts: n/a
Default Disabling ForceCommand in a Match block
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============0217829181==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="------------enig2B9A7A42E190924D0C6F15A6"

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig2B9A7A42E190924D0C6F15A6
Content-Type: multipart/mixed; boundary="------------020108060903020503020707"

This is a multi-part message in MIME format.
--------------020108060903020503020707
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hello,

I am trying to force a command for all users *except* for users in the
"wheel" group. My idea was to do the following in sshd_config:

ForceCommand /usr/bin/validate-ssh-command

Match Group wheel
ForceCommand

But obviously this doesn't work, because ForceCommand requires an
argument. I couldn't find a way to achieve what I want.

I wrote a patch that adds a "NoForceCommand" configuration option that
removes any configured ForceCommand. This allows me to have the following=
:

ForceCommand /usr/bin/validate-ssh-command

Match Group wheel
NoForceCommand

Is there a better way to do this? Possibly without patching openssh?

BTW, the patch is against openssh-4.5p1.

Thanks.
-- Remy


--------------020108060903020503020707
Content-Type: text/plain;
name="openssh-forcecommand.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline;
filename="openssh-forcecommand.patch"

--- servconf.c.orig 2007-05-16 13:38:13.000000000 +0200
+++ servconf.c 2007-05-16 14:21:47.000000000 +0200
@@ -122,6 +122,7 @@
options->permit_tun =3D -1;
options->num_permitted_opens =3D -1;
options->adm_forced_command =3D NULL;
+ options->no_forced_command =3D 0;
}
=20
void
@@ -291,7 +292,7 @@
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
- sMatch, sPermitOpen, sForceCommand,
+ sMatch, sPermitOpen, sForceCommand, sNoForceCommand,
sUsePrivilegeSeparation,
sDeprecated, sUnsupported
} ServerOpCodes;
@@ -403,6 +404,7 @@
{ "match", sMatch, SSHCFG_ALL },
{ "permitopen", sPermitOpen, SSHCFG_ALL },
{ "forcecommand", sForceCommand, SSHCFG_ALL },
+ { "noforcecommand", sNoForceCommand, SSHCFG_ALL },
{ NULL, sBadOption, 0 }
};
=20
@@ -1249,10 +1251,21 @@
fatal("%.200s line %d: Missing argument.", filename,
linenum);
len =3D strspn(cp, WHITESPACE);
- if (*activep && options->adm_forced_command =3D=3D NULL)
+ if (*activep && options->adm_forced_command =3D=3D NULL) {
options->adm_forced_command =3D xstrdup(cp + len);
+ options->no_forced_command =3D 0;
+ }
return 0;
=20
+ case sNoForceCommand:
+ if (*activep) {
+ if (options->adm_forced_command !=3D NULL)
+ xfree(options->adm_forced_command);
+ options->adm_forced_command =3D NULL;
+ options->no_forced_command =3D 1;
+ }
+ break;
+
case sDeprecated:
logit("%s line %d: Deprecated option %s",
filename, linenum, arg);
@@ -1332,6 +1345,11 @@
xfree(dst->adm_forced_command);
dst->adm_forced_command =3D src->adm_forced_command;
}
+ if (src->no_forced_command) {
+ if (dst->adm_forced_command !=3D NULL)
+ xfree(dst->adm_forced_command);
+ dst->adm_forced_command =3D NULL;
+ }
if (src->x11_display_offset !=3D -1)
dst->x11_display_offset =3D src->x11_display_offset;
if (src->x11_forwarding !=3D -1)

--- servconf.h.orig 2007-05-16 14:18:52.000000000 +0200
+++ servconf.h 2007-05-16 14:19:26.000000000 +0200
@@ -135,6 +135,7 @@
char *authorized_keys_file2;
=20
char *adm_forced_command;
+ int no_forced_command;
=20
int use_pam; /* Enable auth via PAM */
=20


--------------020108060903020503020707--

--------------enig2B9A7A42E190924D0C6F15A6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFGSx8yCeNfIyhvXjIRAuzIAJ0RGniZNjcteZf6WWNbwb c6NZiNGQCgpN6T
/VfnUh4RRdgjiGKu5Rpb0Dw=
=iJhD
-----END PGP SIGNATURE-----

--------------enig2B9A7A42E190924D0C6F15A6--

--===============0217829181==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://lists.mindrot.org/mailman/lis...enssh-unix-dev

--===============0217829181==--
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 05:25 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0