ForceCommand and NFS-shared home directories (was re: openssh-unix-dev Digest, Vol 59, Issue 12)

Chris Wilson chris at qwirx.com
Mon Mar 24 02:19:26 EST 2008 

Hi Jeremy and Mikhail,

Jeremy, thanks for offering assistance but please don't top-post, it 
doesn't help us to follow the thread (especially with that subject line). 
I've rearranged the posts here for the benefit of others.

> On Mar 22, 2008, at 3:32 PM, openssh-unix-dev-request at mindrot.org wrote:
>
>> As I understand the "ForceCommand" in the sshd_confing file is meant to 
>> ignore any command supplied by the client, but if user's home is shared 
>> by server and client machines over network (ex. NFS) then user can 
>> still put something else into ~/.ssh/rc file and overcome this 
>> limitation. Is it possible to disable execution of the ~/.ssh/rc file 
>> in such a case?

On Sun, 23 Mar 2008, Jeremy McMillan wrote:

> This problem can be solved by chowning the rc (and user conf files)
> files to some other user and chmod'ing the group and other write bits
> off. I say this because usually, when people use "ForceCommand" the
> intention is to severely restrict a particular account. Going down
> this path requires that you do a lot of homework around restricted
> shells/profiles/etc. and changes you might need to make to the
> default environment your OS provides. Ssh cannot and should not be
> expected to encapsulate all of the things that need attention if this
> is your goal.

Unfortunately I don't believe that you are correct in general.

If the user has read-write access to their home directory, and it's not 
protected by some bizarre magical filesystem, then they can replace .ssh 
at will. For example:

mkdir ~/.ssh2
echo "echo 'Hello there!'" > ~/.ssh2/rc
mv ~/.ssh ~/.ssh.old
mv ~/.ssh2 ~/.ssh

This should be possible, whatever permissions you place on ~/.ssh or its 
contents. If you can see a flaw in my logic then I'd be very interested to 
hear it.

Mikhail, I don't believe there is an option to disable the rc file at 
present, but it sounds like a useful thing to add.

Cheers, Chris.
-- 
_ ___ __     _
  / __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |

More information about the openssh-unix-dev mailing list