openssh-unix-dev Digest, Vol 59, Issue 12
Jeremy McMillan
aphor at speakeasy.net
Mon Mar 24 02:12:42 EST 2008
This problem can be solved by chowning the rc (and user conf files)
files to some other user and chmod'ing the group and other write bits
off. I say this because usually, when people use "ForceCommand" the
intention is to severely restrict a particular account. Going down
this path requires that you do a lot of homework around restricted
shells/profiles/etc. and changes you might need to make to the
default environment your OS provides. Ssh cannot and should not be
expected to encapsulate all of the things that need attention if this
is your goal.
If you reply directly to me with some background on your OS and what
kind of behavior you would like to end up with, I will send you some
pointers to get you started in the right direction.
On Mar 22, 2008, at 3:32 PM, openssh-unix-dev-request at mindrot.org wrote:
> Date: Thu, 20 Mar 2008 18:19:02 -0400
> From: "Mikhail Terekhov" <termim at gmail.com>
> Subject: ForceCommand and ~/.ssh/rc
>
> Hi,
>
> As I understand the "ForceCommand" in the sshd_confing file is
> meant to
> ignore any command supplied by the client, but if user's home is
> shared by
> server and client machines over network (ex. NFS) then user can
> still put
> something else into ~/.ssh/rc file and overcome this limitation. Is it
> possible to disable execution of the ~/.ssh/rc file in such a case?
>
> Thaks,
> Mike
More information about the openssh-unix-dev
mailing list