Hi,
I have set up a sshd_config that uses an alternate port number and
ForceCommand to force the execution of a home-made service to our users.
ForceCommand executes the command using 'shell' '-c', and as a result
the user's .bashrc, .tcshrc, .whateverrc is being loaded -- which is
something I was trying to prevent, because I'm trying to "force a
command" upon them. In my case loading a .bashrc can be considered as a
security hole.
Is there any way around this? Maybe a different kind of setup would be
better?
I like using ssh for the service because of its excellent authentication
mechanisms.
I even made a patch to sshd session.c (see below) but I'd rather not
have to maintain local mods to the source.
Greets,
--Walter
void do_child()
/*
argv[0] = (char *) shell0;
argv[1] = "-c";
argv[2] = (char *) command;
argv[3] = NULL;
*/
argv[0] = "/bin/bash";
argv[1] = "--norc";
argv[2] = "--noprofile";
argv[3] = "-c";
argv[4] = (char *)command;
argv[5] = NULL;
execve(shell, argv, env);
perror(shell);
exit(1);
--
*** If you build it, they will come ***
HPC Systems Programmer at SARA Computing and Network Services
People should be able to e-mail me, spambots should not.
I have set up a sshd_config that uses an alternate port number and
ForceCommand to force the execution of a home-made service to our users.
ForceCommand executes the command using 'shell' '-c', and as a result
the user's .bashrc, .tcshrc, .whateverrc is being loaded -- which is
something I was trying to prevent, because I'm trying to "force a
command" upon them. In my case loading a .bashrc can be considered as a
security hole.
Is there any way around this? Maybe a different kind of setup would be
better?
I like using ssh for the service because of its excellent authentication
mechanisms.
I even made a patch to sshd session.c (see below) but I'd rather not
have to maintain local mods to the source.
Greets,
--Walter
void do_child()
/*
argv[0] = (char *) shell0;
argv[1] = "-c";
argv[2] = (char *) command;
argv[3] = NULL;
*/
argv[0] = "/bin/bash";
argv[1] = "--norc";
argv[2] = "--noprofile";
argv[3] = "-c";
argv[4] = (char *)command;
argv[5] = NULL;
execve(shell, argv, env);
perror(shell);
exit(1);
--
*** If you build it, they will come ***
HPC Systems Programmer at SARA Computing and Network Services
People should be able to e-mail me, spambots should not.