openssh-unix-dev Digest, Vol 59, Issue 12

Jeremy McMillan aphor at speakeasy.net
Mon Mar 24 02:12:42 EST 2008


This problem can be solved by chowning the rc (and user conf files)  
files to some other user and chmod'ing the group and other write bits  
off. I say this because usually, when people use "ForceCommand" the  
intention is to severely restrict a particular account. Going down  
this path requires that you do a lot of homework around restricted  
shells/profiles/etc. and changes you might need to make to the  
default environment your OS provides. Ssh cannot and should not be  
expected to encapsulate all of the things that need attention if this  
is your goal.

If you reply directly to me with some background on your OS and what  
kind of behavior you would like to end up with, I will send you some  
pointers to get you started in the right direction.

On Mar 22, 2008, at 3:32 PM, openssh-unix-dev-request at mindrot.org wrote:
> Date: Thu, 20 Mar 2008 18:19:02 -0400
> From: "Mikhail Terekhov" <termim at gmail.com>
> Subject: ForceCommand and ~/.ssh/rc
>
> Hi,
>
> As I understand the "ForceCommand" in the sshd_confing file is  
> meant to
> ignore any command supplied by the client, but if user's home is  
> shared by
> server and client machines over network (ex. NFS) then user can  
> still put
> something else into ~/.ssh/rc file and overcome this limitation. Is it
> possible to disable execution of the ~/.ssh/rc file in such a case?
>
> Thaks,
> Mike



More information about the openssh-unix-dev mailing list