Using 'ForceCommand' Option
Nico Kadel-Garcia
nkadel at gmail.com
Thu Feb 18 14:17:29 AEDT 2016
On Wed, Feb 17, 2016 at 5:47 PM, Lesley Kimmel
<lesley.j.kimmel at gmail.com> wrote:
> So I probably shouldn't have said "arbitrary" script. What I really want to
> do is to present a terms of service notice (/etc/issue). But I also want to
> get the user to actually confirm (by typing 'y') that they accept. If they
> try to exit or type anything other than 'y' they will be denied access. I'm
> not sure a user can interact with a script being executed by PAM. Also, I
> want to differentiate for SCP.
I think you're really, really trying to hurt yourself and burning
cycles better spent elsewhere on a non-enforcable service agreement.
Sun tried this with their Java installer, and it was loathed by
*everyone* who's had to cope with it.
If your scriptable operations for handling of specific keys are really
limited, such as only serving rsync, you might take a look at the
"validate-rsync.sh" script published in many places. But I suspect
you're simply going to make your user community hate you, since this
will break rsync over SSH, sftp, WinSCP based access to sftp or scp,
etc. etc. etc. Shoving personal text interactions into a well-defined
and very standard API is not a nice thing to do to your users.
Nico Kadel-Garcia <nkadel at gmail.com>
More information about the openssh-unix-dev
mailing list