ForceCommand and NFS-shared home directories

Mikhail Terekhov termim at gmail.com
Tue Mar 25 01:18:57 EST 2008 

> > On Mar 22, 2008, at 3:32 PM, Chris Wilson wrote:
> >
> >> As I understand the "ForceCommand" in the sshd_confing file is meant to
> >> ignore any command supplied by the client, but if user's home is shared
> >> by server and client machines over network (ex. NFS) then user can
> >> still put something else into ~/.ssh/rc file and overcome this
> >> limitation. Is it possible to disable execution of the ~/.ssh/rc file
> >> in such a case?
>
> On Sun, 23 Mar 2008, Jeremy McMillan wrote:
>
> > This problem can be solved by chowning the rc (and user conf files)
> > files to some other user and chmod'ing the group and other write bits
> > off. I say this because usually, when people use "ForceCommand" the
> > intention is to severely restrict a particular account. Going down
> > this path requires that you do a lot of homework around restricted
> > shells/profiles/etc. and changes you might need to make to the
> > default environment your OS provides. Ssh cannot and should not be
> > expected to encapsulate all of the things that need attention if this
> > is your goal.
>
Frankly I can't imagine a case where while using "ForceCommand" the
shell/profile or user environment could be useful. But certanly I could be
mistaken.
What I have in mind here is a CVS/SVN server that uses SSH for
authorization. In this case users should have no shell access to the
server at all.

> Unfortunately I don't believe that you are correct in general.
>
> If the user has read-write access to their home directory, and it's not
> protected by some bizarre magical filesystem, then they can replace .ssh
> at will. For example:
>
> mkdir ~/.ssh2
> echo "echo 'Hello there!'" > ~/.ssh2/rc
> mv ~/.ssh ~/.ssh.old
> mv ~/.ssh2 ~/.ssh
>
> This should be possible, whatever permissions you place on ~/.ssh or its
> contents. If you can see a flaw in my logic then I'd be very interested to
> hear it.
>
> Mikhail, I don't believe there is an option to disable the rc file at
> present, but it sounds like a useful thing to add.
>
Yes in cases like my this option would be very useful.
Meantime do you think that writing a wrapper script for the shell on the
server that bypasses everything but the predefined in "ForceCommand"
command would be a reasonable workaround?

Regards,
Mikhail

More information about the openssh-unix-dev mailing list