List of allowed commands to run

perret.yannick perret.yannick at free.fr
Sat May 19 04:18:24 EST 2007


Hello,

I was working on openSSH-4.6p1 sources at work (for a local
problem with AFS token, but it's not the subject of the mail),
and I start playing with the 'Match' command for servers.

We are trying to allow some specific access for referenced
users/machines, and I find that a feature is missing:
the possibility to restrict the set of commands that a given
user/machine/whatsoever that 'Match' handle.

I mean be able to explicitly indicate the commands that can
be executed through ssh.

I so added a 'CommandFilter' command on sshd which allows
to give a set of allowed commands. When executing a command
on the server (the "exec" message) it checked if it is allowed,
and if not it send a disconnect message to the client.
This CommandFilter is usable with Match, to create specific
sets of allowed commands.

So my questions:
- is there a simplier/nicer way to do that (or even maybe it is still
possible without any change)
- does my modification is correct (I mean is it the good way to
perform a such modification)?
- and should my modification interrest developpers or other
people? In this case I can send a patch for that.

Thanks for your answers/comments.

Regards,
--
Yannick Perret



More information about the openssh-unix-dev mailing list