Patch to selectively override a user's shell

Philipp Bunge philipp.bunge at id.unibe.ch
Thu Aug 4 18:37:17 EST 2005 

Hello,

I don't know if this is of anybody's interest here, but I have  
written a patch to selectively override a user's shell dependent of  
the username.

The reason behind this is, that at the high performance cluster I  
work at, we would like that normal users are only permitted to use  
scp and sftp (and thus a shell like rssh) on our master nodes, but  
should retain their normal shell on all other nodes. With this patch,  
we can define what users may retain their normal shell on the master  
nodes and which ones will have their shell changed to a default one.


The patch can be found here: https://ubelix.unibe.ch/local/tmp/ 
openssh-4.1_p1-shell-override.patch



USAGE: The patch adds three config parameters to sshd_config. These are;
     * OverrideShell - Shell to be used if the user's shell will be  
overridden (e.g. OverrideShell /usr/bin/rssh).
     * AllowShell - Space separated list of users that should be  
allowed to use their shell as specified in /etc/passwd or in LDAP or  
wherever your authenticating from. If this is set, any user that is  
not listed here will receive the shell specified in OverrideShell.
     * DenyShell - Space separated list of users who will be denied  
their shell specified in /etc/passwd or wherever and will receive the  
OverrideShell instead. If only this is set, all other users will get  
their normal shell.



EXAMPLES: To deny the normal shell to all users except for root and  
admin and provide them with rssh as a shell instead /etc/ssh/ 
sshd_config should contain following lines:

     # Use a shell that allows us to use scp and sftp but won't allow  
us to log in:
     OverrideShell /usr/bin/rssh
     # Only root and admin are allowed to log in directly:
     AllowShell root admin

To allow all users to log in except user1 and user2 who should only  
be able to use scp and sftp:

     # Use a shell that allows us to use scp and sftp but won't allow  
us to log in:
     OverrideShell /usr/bin/rssh
     # Everyone may log in except for user1 and user2
     DenyShell user1 user2


I would be happy to hear any feedback!

Regards,
Philipp

PS.: I'm not subscribed to this mailinglist, please cc any replies to  
me.

More information about the openssh-unix-dev mailing list