Hi, I'm looking for a way to force users to use a pty and their login shell. They have a .profile that forces them to use a specific application. They are currently logging in with telnetd, so this is effective. I want to move to openssh, but this would allow "ssh user at host /bin/sh" and any other commands they can think of to bypass this restriction. Is there a way to make openssh as restrictive at the current environment? -- Jeremy Jackson Coplanar Networks (519)897-1516 http://www.coplanar.net
Jeremy Jackson wrote:> I'm looking for a way to force users to use a pty and their login shell. > They have a .profile that forces them to use a specific application. > They are currently logging in with telnetd, so this is effective. I > want to move to openssh, but this would allow "ssh user at host /bin/sh" > and any other commands they can think of to bypass this restriction. > > Is there a way to make openssh as restrictive at the current environment?If you are using pubkey authentication you can use the cmd= option in the user's authorized_keys file. -- Jefferson Ogata <Jefferson.Ogata at noaa.gov> NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
On Wed, Sep 22, 2004 at 03:10:18PM -0400, Jeremy Jackson wrote:> Is there a way to make openssh as restrictive at the current > environment?Give users keys for authentication, allow no other authentication method and use command= in .ssh/authorized_keys. See AUTHORIZED_KEYS FILE FORMAT in sshd(8) //Peter
Jeremy Jackson wrote:> Hi, > > I'm looking for a way to force users to use a pty and their login shell. > They have a .profile that forces them to use a specific application. > They are currently logging in with telnetd, so this is effective. I > want to move to openssh, but this would allow "ssh user at host /bin/sh" > and any other commands they can think of to bypass this restriction. > > Is there a way to make openssh as restrictive at the current environment?You can make the forced command the user's shell, or use a custom restricted shell like rssh. -d
Couple of things you could try from the source side.
#1 rename the ssh binary, and replace with a shell script.
Allow it to parse parameters.
Parameters starting with a "-" minus sign are added to a variable,
then the first non "-" parameter is taken as well and added to said
variable.
Then execute the renamed ssh binary with the variable contents used as
parameters.
-------------
while [ ${#} -gt 0 ]
do
case ${1} in
-*) varParams=${varParams}" ${1}" && shift 1;;
*) varParams=$(varParams)" ${1}" && shift ${#};;
esac
done
/usr/local/bin/ssh.cmd ${varParams}
-------------
Second, make an ssh alias for the user's profile, that only accepts one
parameter.
alias ssh=/usr/local/bin/ssh ${1}