ssh(1) is inaccurate

Stephen Harris lists at spuddy.org
Thu Dec 7 00:58:19 AEDT 2017


> "If command is specified, it is executed on the remote host instead of a
> login shell."
> 
> But afaik this is not quite accurate. The login shell is always started.
> But if a command is specified it runs that command instead of just
> opening an interactive setting.

Not quite.  A "login shell" is a specific term in Unix.  If means (roughly)
the shell the user has defined (eg in /etc/passwd) but run in a specific
way. 

If you look at the underly C calls you might see something like

  execl("/bin/sh","sh",NULL)

That would run a normal shell.

However
  execl("/bin/sh","-sh",NULL)
would be a "login shell".  Note the extra "-" character.  This tells the
shell that it is being called as a login shell, rather than a subshell.

So if you do something like
  ssh remotehost
then on the remote host it will look up the shell defined in the passwd
file ( eg /bin/sh) and do something similar to
  execl("/bin/sh","-sh",NULL)

(The exact calls are more complicated, but this is the essence; I've
simplified)

However if you do
  ssh remotehost command
then it does something more like
  execl("/bin/sh","sh","-c",command,NULL)

> So if a user has /dev/false as login shell, you cannot run a command on

So here is where your confusion over terminology led you wrong.  The
password file defines the shell to be used.  How the shell is called
determines if it is being used a login shell or not.

You can read more about "login shells" if you do "man bash" and skip
down to the INVOCATION section

-- 

rgds
Stephen



More information about the openssh-unix-dev mailing list