Disabling ForceCommand in a Match block

Thu May 17 01:32:52 EST 2007

On Wed, May 16, 2007 at 14:36:47 +0200, Remy Blank wrote:
> Hello,
> 
> I am trying to force a command for all users *except* for users in the
> "wheel" group. My idea was to do the following in sshd_config:
> 
> ForceCommand /usr/bin/validate-ssh-command
> 
> Match Group wheel
>     ForceCommand
> 
> But obviously this doesn't work, because ForceCommand requires an
> argument. I couldn't find a way to achieve what I want.
> 
> I wrote a patch that adds a "NoForceCommand" configuration option that
> removes any configured ForceCommand. This allows me to have the following:
> 
> ForceCommand /usr/bin/validate-ssh-command
> 
> Match Group wheel
>     NoForceCommand

It would be more in keeping with the general syntax of the ssh_config 
(and the preferrence of keeping the number of options to a minimum)
to have ForcedCommand accept the special keyword 'none'.

> 
> Is there a better way to do this? Possibly without patching openssh?

I have to admit, I haven't played around with the Match keyword much.
If it accepted negation (I don't recall if it does), you could do
something like:

Match ! Group wheel
	ForceCommand /usr/bin/validate-ssh-command

--
Iain

> 
> BTW, the patch is against openssh-4.5p1.
> 
> Thanks.
> -- Remy

> --- servconf.c.orig	2007-05-16 13:38:13.000000000 +0200
> +++ servconf.c	2007-05-16 14:21:47.000000000 +0200
> @@ -122,6 +122,7 @@
>  	options->permit_tun = -1;
>  	options->num_permitted_opens = -1;
>  	options->adm_forced_command = NULL;
> +	options->no_forced_command = 0;
>  }
>  
>  void
> @@ -291,7 +292,7 @@
>  	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
>  	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
>  	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
> -	sMatch, sPermitOpen, sForceCommand,
> +	sMatch, sPermitOpen, sForceCommand, sNoForceCommand,
>  	sUsePrivilegeSeparation,
>  	sDeprecated, sUnsupported
>  } ServerOpCodes;
> @@ -403,6 +404,7 @@
>   	{ "match", sMatch, SSHCFG_ALL },
>  	{ "permitopen", sPermitOpen, SSHCFG_ALL },
>  	{ "forcecommand", sForceCommand, SSHCFG_ALL },
> +	{ "noforcecommand", sNoForceCommand, SSHCFG_ALL },
>  	{ NULL, sBadOption, 0 }
>  };
>  
> @@ -1249,10 +1251,21 @@
>  			fatal("%.200s line %d: Missing argument.", filename,
>  			    linenum);
>  		len = strspn(cp, WHITESPACE);
> -		if (*activep && options->adm_forced_command == NULL)
> +		if (*activep && options->adm_forced_command == NULL) {
>  			options->adm_forced_command = xstrdup(cp + len);
> +			options->no_forced_command = 0;
> +		}
>  		return 0;
>  
> +	case sNoForceCommand:
> +		if (*activep) {
> +			if (options->adm_forced_command != NULL)
> +				xfree(options->adm_forced_command);
> +			options->adm_forced_command = NULL;
> +			options->no_forced_command = 1;
> +		}
> +		break;
> +
>  	case sDeprecated:
>  		logit("%s line %d: Deprecated option %s",
>  		    filename, linenum, arg);
> @@ -1332,6 +1345,11 @@
>  			xfree(dst->adm_forced_command);
>  		dst->adm_forced_command = src->adm_forced_command;
>  	}
> +	if (src->no_forced_command) {
> +		if (dst->adm_forced_command != NULL)
> +			xfree(dst->adm_forced_command);
> +		dst->adm_forced_command = NULL;
> +	}
>  	if (src->x11_display_offset != -1)
>  		dst->x11_display_offset = src->x11_display_offset;
>  	if (src->x11_forwarding != -1)
> 
> --- servconf.h.orig	2007-05-16 14:18:52.000000000 +0200
> +++ servconf.h	2007-05-16 14:19:26.000000000 +0200
> @@ -135,6 +135,7 @@
>  	char   *authorized_keys_file2;
>  
>  	char   *adm_forced_command;
> +	int	no_forced_command;
>  
>  	int	use_pam;		/* Enable auth via PAM */
>  

> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

-- 
Iain Morgan