openssh unix dev - Mar 2005 - "ssh user@server /bin/sh" vs "no-pty" option.

Hello List,

 Do I get it right that I *MUST* chroot a user first and make
 /bin/rssh his shell in the /etc/passwd to effectively restrict him?
 There should be no /bin/ksh (or bash) in his jail?
 If I do not jail him - no matter what is his passwd shell - he will
 be able to issue "ssh user at server /bin/sh" still, right?

-- 
Best regards,
 Anthony                   mailto:rz1a at nwgsm.ru

rz1a at nwgsm.ru wrote:
>  Do I get it right that I *MUST* chroot a user first and make
>  /bin/rssh his shell in the /etc/passwd to effectively restrict him?
>  There should be no /bin/ksh (or bash) in his jail?
>  If I do not jail him - no matter what is his passwd shell - he will
>  be able to issue "ssh user at server /bin/sh" still, right?
sshd runs those commands via the user's login shell with the "-c"
option,
have a look at session.c:do_child().  As long as the user's login shell 
doesn't obey "-c" (or applies the same restrictions as for
interactive
use) then the user won't be able to run commands via "ssh server
command".

They will, however be able to do port forwarding ("ssh -2 -N -L [foo] 
server").

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.