Re: ForceCommand and ~/.ssh/rc

This is a discussion on Re: ForceCommand and ~/.ssh/rc within the OpenSSH Development forums, part of the Networking and Network Related category; On Tue, Mar 25, 2008 at 08:57:39AM +1100, Damien Miller wrote: > On Thu, 20 Mar 2008, Mikhail ...


Go Back   Usenet Forums > Networking and Network Related > OpenSSH Development

Reload this Page Re: ForceCommand and ~/.ssh/rc

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 03-24-2008
Darren Tucker
 
Posts: n/a
Default Re: ForceCommand and ~/.ssh/rc
On Tue, Mar 25, 2008 at 08:57:39AM +1100, Damien Miller wrote:
> On Thu, 20 Mar 2008, Mikhail Terekhov wrote:
> > As I understand the "ForceCommand" in the sshd_confing file is meant to
> > ignore any command supplied by the client, but if user's home is shared by
> > server and client machines over network (ex. NFS) then user can still put
> > something else into ~/.ssh/rc file and overcome this limitation. Is it
> > possible to disable execution of the ~/.ssh/rc file in such a case?
>
> Could you please try this?
[..]
> - if (!options.use_login)
> + if (!options.use_login && options.adm_forced_command == NULL)

This should also check forced_command too, no? That usually comes from
a user-controlled authorized_keys file in ~/.ssh, however that's not
necessarily the case (eg AuthorizedKeysFile /etc/ssh/keys or some such).

Also, this will disable the root-owned rc file which isn't necessary.
How about something like this?

Index: session.c
================================================== =================
RCS file: /usr/local/src/security/openssh/cvs/openssh/session.c,v
retrieving revision 1.364
diff -u -p -r1.364 session.c
--- session.c 15 Mar 2008 06:27:58 -0000 1.364
+++ session.c 24 Mar 2008 22:19:08 -0000
@@ -1196,14 +1196,18 @@ do_rc_files(Session *s, const char *shel
{
FILE *f = NULL;
char cmd[1024];
- int do_xauth;
+ int do_xauth, do_user_rc = 1;
struct stat st;

do_xauth =
s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;

- /* ignore _PATH_SSH_USER_RC for subsystems */
- if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
+ /* ignore _PATH_SSH_USER_RC for subsystems and forced commands */
+ if (s->is_subsystem || options.adm_forced_command != NULL ||
+ forced_command != NULL)
+ do_user_rc = 0;
+
+ if (do_user_rc && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
if (debug_flag)

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 01:37 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0