"ssh user at server /bin/sh" vs "no-pty" option.

Darren Tucker dtucker at zip.com.au
Wed Apr 13 21:45:30 EST 2005

rz1a at nwgsm.ru wrote:
>  Do I get it right that I *MUST* chroot a user first and make
>  /bin/rssh his shell in the /etc/passwd to effectively restrict him?
>  There should be no /bin/ksh (or bash) in his jail?
>  If I do not jail him - no matter what is his passwd shell - he will
>  be able to issue "ssh user at server /bin/sh" still, right?

sshd runs those commands via the user's login shell with the "-c" option, 
have a look at session.c:do_child().  As long as the user's login shell 
doesn't obey "-c" (or applies the same restrictions as for interactive 
use) then the user won't be able to run commands via "ssh server command".

They will, however be able to do port forwarding ("ssh -2 -N -L [foo] 

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list