openssh unix dev - Mar 2008 - openssh-unix-dev Digest, Vol 59, Issue 12

This problem can be solved by chowning the rc (and user conf files)  
files to some other user and chmod'ing the group and other write bits  
off. I say this because usually, when people use "ForceCommand" the  
intention is to severely restrict a particular account. Going down  
this path requires that you do a lot of homework around restricted  
shells/profiles/etc. and changes you might need to make to the  
default environment your OS provides. Ssh cannot and should not be  
expected to encapsulate all of the things that need attention if this  
is your goal.

If you reply directly to me with some background on your OS and what  
kind of behavior you would like to end up with, I will send you some  
pointers to get you started in the right direction.

On Mar 22, 2008, at 3:32 PM, openssh-unix-dev-request at mindrot.org
wrote:
> Date: Thu, 20 Mar 2008 18:19:02 -0400
> From: "Mikhail Terekhov" <termim at gmail.com>
> Subject: ForceCommand and ~/.ssh/rc
>
> Hi,
>
> As I understand the "ForceCommand" in the sshd_confing file is  
> meant to
> ignore any command supplied by the client, but if user's home is  
> shared by
> server and client machines over network (ex. NFS) then user can  
> still put
> something else into ~/.ssh/rc file and overcome this limitation. Is it
> possible to disable execution of the ~/.ssh/rc file in such a case?
>
> Thaks,
> Mike

Hi Jeremy and Mikhail,

Jeremy, thanks for offering assistance but please don't top-post, it 
doesn't help us to follow the thread (especially with that subject line). 
I've rearranged the posts here for the benefit of others.
> On Mar 22, 2008, at 3:32 PM, openssh-unix-dev-request at mindrot.org wrote:
>
>> As I understand the "ForceCommand" in the sshd_confing file
is meant to
>> ignore any command supplied by the client, but if user's home is
shared
>> by server and client machines over network (ex. NFS) then user can 
>> still put something else into ~/.ssh/rc file and overcome this 
>> limitation. Is it possible to disable execution of the ~/.ssh/rc file 
>> in such a case?
On Sun, 23 Mar 2008, Jeremy McMillan wrote:
> This problem can be solved by chowning the rc (and user conf files)
> files to some other user and chmod'ing the group and other write bits
> off. I say this because usually, when people use "ForceCommand"
the
> intention is to severely restrict a particular account. Going down
> this path requires that you do a lot of homework around restricted
> shells/profiles/etc. and changes you might need to make to the
> default environment your OS provides. Ssh cannot and should not be
> expected to encapsulate all of the things that need attention if this
> is your goal.
Unfortunately I don't believe that you are correct in general.

If the user has read-write access to their home directory, and it's not 
protected by some bizarre magical filesystem, then they can replace .ssh 
at will. For example:

mkdir ~/.ssh2
echo "echo 'Hello there!'" > ~/.ssh2/rc
mv ~/.ssh ~/.ssh.old
mv ~/.ssh2 ~/.ssh

This should be possible, whatever permissions you place on ~/.ssh or its 
contents. If you can see a flaw in my logic then I'd be very interested to 
hear it.

Mikhail, I don't believe there is an option to disable the rc file at 
present, but it sounds like a useful thing to add.

Cheers, Chris.
-- 
_ ___ __     _
  / __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |