Hi, I'm just testing if it is possible to send from other email addresses than the one I use to recieve mails. Regards, -- Y.
Hello, I was working on openSSH-4.6p1 sources at work (for a local problem with AFS token, but it's not the subject of the mail), and I start playing with the 'Match' command for servers. We are trying to allow some specific access for referenced users/machines, and I find that a feature is missing: the possibility to restrict the set of commands that a given user/machine/whatsoever that 'Match' handle. I mean be able to explicitly indicate the commands that can be executed through ssh. I so added a 'CommandFilter' command on sshd which allows to give a set of allowed commands. When executing a command on the server (the "exec" message) it checked if it is allowed, and if not it send a disconnect message to the client. This CommandFilter is usable with Match, to create specific sets of allowed commands. So my questions: - is there a simplier/nicer way to do that (or even maybe it is still possible without any change) - does my modification is correct (I mean is it the good way to perform a such modification)? - and should my modification interrest developpers or other people? In this case I can send a patch for that. Thanks for your answers/comments. Regards, -- Yannick Perret
On Fri, May 18, 2007 at 08:18:24PM +0200, perret.yannick wrote:> So my questions: > - is there a simplier/nicer way to do that (or even maybe it is > still possible without any change) > - does my modification is correct (I mean is it the good way to > perform a such modification)?This problem is better solved by the shell. All commands that sshd execute on behalf of the client use the shell, and since there may be other ways for the user to access the system, sshd is not a very good place for these restrictions. You could look at rssh for an example of a restricted shell. //Peter
Peter Stuge wrote:> On Fri, May 18, 2007 at 08:18:24PM +0200, perret.yannick wrote: > >> So my questions: >> - is there a simplier/nicer way to do that (or even maybe it is >> still possible without any change) >> - does my modification is correct (I mean is it the good way to >> perform a such modification)? >> > > This problem is better solved by the shell. All commands that sshd > execute on behalf of the client use the shell, and since there may > be other ways for the user to access the system, sshd is not a very > good place for these restrictions. >Well, it may be a way. In this case we should use the ForceCommand to set the restricted shell, right? Thanks for the hints. Regards, -- Yannick Perret