On Wed, May 16, 2007 at 14:36:47 +0200, Remy Blank
wrote:> Hello,
>
> I am trying to force a command for all users *except* for users in the
> "wheel" group. My idea was to do the following in sshd_config:
>
> ForceCommand /usr/bin/validate-ssh-command
>
> Match Group wheel
> ForceCommand
>
> But obviously this doesn't work, because ForceCommand requires an
> argument. I couldn't find a way to achieve what I want.
>
> I wrote a patch that adds a "NoForceCommand" configuration option
that
> removes any configured ForceCommand. This allows me to have the following:
>
> ForceCommand /usr/bin/validate-ssh-command
>
> Match Group wheel
> NoForceCommand
It would be more in keeping with the general syntax of the ssh_config
(and the preferrence of keeping the number of options to a minimum)
to have ForcedCommand accept the special keyword 'none'.
>
> Is there a better way to do this? Possibly without patching openssh?
I have to admit, I haven't played around with the Match keyword much.
If it accepted negation (I don't recall if it does), you could do
something like:
Match ! Group wheel
ForceCommand /usr/bin/validate-ssh-command
--
Iain
>
> BTW, the patch is against openssh-4.5p1.
>
> Thanks.
> -- Remy
> --- servconf.c.orig 2007-05-16 13:38:13.000000000 +0200
> +++ servconf.c 2007-05-16 14:21:47.000000000 +0200
> @@ -122,6 +122,7 @@
> options->permit_tun = -1;
> options->num_permitted_opens = -1;
> options->adm_forced_command = NULL;
> + options->no_forced_command = 0;
> }
>
> void
> @@ -291,7 +292,7 @@
> sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
> sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
> sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
> - sMatch, sPermitOpen, sForceCommand,
> + sMatch, sPermitOpen, sForceCommand, sNoForceCommand,
> sUsePrivilegeSeparation,
> sDeprecated, sUnsupported
> } ServerOpCodes;
> @@ -403,6 +404,7 @@
> { "match", sMatch, SSHCFG_ALL },
> { "permitopen", sPermitOpen, SSHCFG_ALL },
> { "forcecommand", sForceCommand, SSHCFG_ALL },
> + { "noforcecommand", sNoForceCommand, SSHCFG_ALL },
> { NULL, sBadOption, 0 }
> };
>
> @@ -1249,10 +1251,21 @@
> fatal("%.200s line %d: Missing argument.", filename,
> linenum);
> len = strspn(cp, WHITESPACE);
> - if (*activep && options->adm_forced_command == NULL)
> + if (*activep && options->adm_forced_command == NULL) {
> options->adm_forced_command = xstrdup(cp + len);
> + options->no_forced_command = 0;
> + }
> return 0;
>
> + case sNoForceCommand:
> + if (*activep) {
> + if (options->adm_forced_command != NULL)
> + xfree(options->adm_forced_command);
> + options->adm_forced_command = NULL;
> + options->no_forced_command = 1;
> + }
> + break;
> +
> case sDeprecated:
> logit("%s line %d: Deprecated option %s",
> filename, linenum, arg);
> @@ -1332,6 +1345,11 @@
> xfree(dst->adm_forced_command);
> dst->adm_forced_command = src->adm_forced_command;
> }
> + if (src->no_forced_command) {
> + if (dst->adm_forced_command != NULL)
> + xfree(dst->adm_forced_command);
> + dst->adm_forced_command = NULL;
> + }
> if (src->x11_display_offset != -1)
> dst->x11_display_offset = src->x11_display_offset;
> if (src->x11_forwarding != -1)
>
> --- servconf.h.orig 2007-05-16 14:18:52.000000000 +0200
> +++ servconf.h 2007-05-16 14:19:26.000000000 +0200
> @@ -135,6 +135,7 @@
> char *authorized_keys_file2;
>
> char *adm_forced_command;
> + int no_forced_command;
>
> int use_pam; /* Enable auth via PAM */
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
--
Iain Morgan