way to set shell used for remote commands?
Iain Morgan
imorgan at nas.nasa.gov
Fri Jan 23 06:40:59 AEDT 2015
On Thu, Jan 22, 2015 at 14:17:13 +0000, Jason Vas Dias wrote:
> Thanks Alan & Iain for your replies.
> RE:
> >> ssh 127.0.0.1 dash -c env
> >>
> >> appear to do the expected for me.
> >>
> Yes, it is easy enough to run any program on the remote host
> to read commands from stdin and write results to stdout ;
> but that means you have to send the script to execute separately:
> $ echo "$script" | ssh $remote_host $remote_shell
> and that means you must be aware on the origin host
> exactly what the path of $remote_shell is on the remote host.
> Also using $SHELL -c "$SCRIPT" on the origin host does not work if
> $SCRIPT contains semi-colons; only the first line terminated by
> a semi-colon will be run by $SHELL; remaining lines are run
> by the user's default shell. And that introduces a new level
> of quoting hell .
>
> What I'd like is an option I could put into a configuration file on
> $remote_host to say "sshd should use SHELL=$X for all commands", or
> maybe it might be nicer to be able to say:
> "use SHELL=$X for commands coming from host $Y or network $N"
> or "use SHELL=$X for commands that match the regular expression $Y"
> or a combination of both.
>
> The problem is of course, there appears to be no user-specific
> configuration file for sshd beyound ~/.ssh/rc - and I don't think
> that is the right file . AFAICS, sshd does not parse the user's
> ~/.ssh/config - this is used only by the 'ssh' client for OUTGOING commands.
>
> It appears sshd needs a per-user config file for INCOMING commands.
>
> So the patch would need to add a new "~/.ssh/sshd_config' file, which
> could contain lines like :
> # for commands coming from hosts on subnet 192.168/16, use this shell:
> Host 192.168/16
> Shell /path/to/my/subnet.192.168/shell
> # for commands coming from hosts on subnet 172.16/16, use this shell:
> Host 172.16/16
> Shell /path/to/my/subnet.172.16/shell
> # for commands which start with 'new_shell', use specified shell and
> # remove prefixing 'new_shell' :
> Match ^(new_shell)\ (.*) = \2
> Shell /path/to/my/latest/shell
>
> If I develop such a patch, would there be any interest in it / likelihood
> of it being incorporated in a future OpenSSH release ?
>
> Iain, I'd be most interested to see your 'ForceShell' patch.
> Please could you post it ? Does it apply to commands from
> particular hosts, or all incoming commands ?
>
> Thanks & Regards,
> Jason
>
First, my apologies for not including the URL or bugzilla ID. The bug
(and patch) can be found at:
https://bugzilla.mindrot.org/show_bug.cgi?id=2062
The patch adds a ForceShell option to sshd_config, similar to
ForceCommand, except that it overrides the shell used to invoke remote
commands or for interactive sessions.
With such an option, you could use a Match block to override the shell
for particular users, and could do so based on the client host or any
other criteria supported by the match directive.
For example:
Match User sombody Host foo.example.com
ForceShell /bin/dash
As noted above, it is an sshd_config option, and thus cannot be set
directly by the user. From a policy enforcement standpoint, this seems
the better way to approach things.
Unfortunately, I haven't touched the patch in two years, so I'm not sure
if it still applies cleanly. I'll see if I can set aside some time to
update the patch, but that may be a week or two away. Feel free to give
it a try in the meantime.
--
Iain Morgan
More information about the openssh-unix-dev
mailing list