way to set shell used for remote commands?

Iain Morgan imorgan at nas.nasa.gov
Fri Jan 23 06:40:59 AEDT 2015

On Thu, Jan 22, 2015 at 14:17:13 +0000, Jason Vas Dias wrote:
> Thanks Alan & Iain for your replies.
> RE:
> >>    ssh dash -c env
> >>
> >> appear to do the expected for me.
> >>
> Yes, it is easy enough to run any program on the remote host
> to read commands from stdin and write results to stdout ;
> but that means you have to send the script to execute separately:
>   $ echo "$script" | ssh $remote_host $remote_shell
> and that means you must be aware on the origin host
> exactly what the path of $remote_shell is on the remote host.
> Also using $SHELL -c "$SCRIPT" on the origin host does not work if
> $SCRIPT contains semi-colons; only the first line terminated by
> a semi-colon will be run by $SHELL; remaining lines are run
> by the user's default shell.  And that introduces a new level
> of quoting hell .
> What I'd like is an option I could put into a configuration file on
> $remote_host to say "sshd should use SHELL=$X for all commands",  or
> maybe it might be nicer to be able to say:
>     "use SHELL=$X for commands coming from host $Y or network $N"
> or "use SHELL=$X for commands that match the regular expression $Y"
> or a combination of both.
> The problem is of course, there appears to be  no user-specific
> configuration file for sshd beyound ~/.ssh/rc - and I don't think
> that is the right file . AFAICS, sshd does not parse the user's
> ~/.ssh/config - this is used only by the 'ssh' client for OUTGOING commands.
> It appears sshd needs a per-user config file for INCOMING commands.
> So the patch would need to add a new "~/.ssh/sshd_config' file, which
> could contain lines like :
>   # for commands coming from hosts on subnet 192.168/16, use this shell:
>   Host   192.168/16
>     Shell /path/to/my/subnet.192.168/shell
>   # for commands coming from hosts on subnet 172.16/16, use this shell:
>   Host   172.16/16
>     Shell /path/to/my/subnet.172.16/shell
>   # for commands which start with 'new_shell', use specified shell and
>   # remove prefixing 'new_shell' :
>   Match  ^(new_shell)\ (.*) = \2
>     Shell /path/to/my/latest/shell
> If I develop such a patch, would there be any interest in it / likelihood
> of it being incorporated in a future OpenSSH release ?
> Iain, I'd be most interested to see your 'ForceShell' patch.
> Please could you post it ? Does it apply to commands from
> particular hosts, or all incoming commands ?
> Thanks & Regards,
> Jason

First, my apologies for not including the URL or bugzilla ID. The bug
(and patch) can be found at:


The patch adds a ForceShell option to sshd_config, similar to
ForceCommand, except that it overrides the shell used to invoke remote
commands or for interactive sessions.

With such an option, you could use a Match block to override the shell
for particular users, and could do so based on the client host or any
other criteria supported by the match directive.

For example:

	Match User sombody Host foo.example.com
		ForceShell	/bin/dash

As noted above, it is an sshd_config option, and thus cannot be set
directly by the user. From a policy enforcement standpoint, this seems
the better way to approach things.

Unfortunately, I haven't touched the patch in two years, so I'm not sure
if it still applies cleanly. I'll see if I can set aside some time to
update the patch, but that may be a week or two away. Feel free to give
it a try in the meantime.

Iain Morgan

More information about the openssh-unix-dev mailing list