Good day -
Please can OpenSSH provide some way of specifying which shell to use to
execute commands on a host.
For the account I need to use, the user's password shell is not acceptable,
(a ten year old version of bash 3.0)
and cannot be changed without weeks or months of burocracy , if at all.
I built & installed the latest bash under that account, in the ~/bin
directory,
but SSH will not use it.
Using the client OpenSSH version : 1:6.6p1-2ubuntu2 on a linux x86_64
Ubuntu 14.04.1 host,
if I try to specify which bash to use for an SSH command like :
$ ssh $account /home/${user}/bin/bash -c 'echo $BASH_VERSION; echo
$BASH_VERSION';
something very weird happens - only the second statement produces any
output .
If this is changed, we see only the first statement is run by the new shell,
and the second is run by the old shell:
$ ssh $account /home/${user}/bin/bash -c \
'set | grep BASH_VERSION; echo $BASH_VERSION'
Produces the output:
BASH_VERSION='4.3.30(1)-release'
3.0.0(1)-release
So the first statement is run by the new shell, and the second by the old
shell.
This appears to be a major bug in OpenSSH - should I report it ?
Since OpenSSH provides no way to run commands with anything other
than the user's password shell, it really needs to do so.
A simple patch would be to session.c, @ line 1746 :
/*
* Get the shell from the password data. An empty shell field is
* legal, and means /bin/sh.
*/
shell = (pw->pw_shell[0] == 0) ? _PATH_BSHELL : pw->pw_shell;
One could do something like:
char *sh;
if ( (sh=getenv("SSH_SHELL") )!= NULL )
shell = sh;
else
shell = (pw->pw_shell[0] == 0) ? _PATH_BSHELL : pw->pw_shell;
Or provide some configuration option - this would probably have to
be per-server .
Is there any hope of getting the ability to specify which shell to run
remote commands with in a forthcoming OpenSSH release, or do
I need to apply my patch and maintain my own OpenSSH branch ?
Thanks & Regards,
Jason
On 2015-01-21, Jason Vas Dias <jason.vas.dias at gmail.com> wrote:> Please can OpenSSH provide some way of specifying which shell to use to > execute commands on a host.No way. The security fallout is staggering.> For the account I need to use, the user's password shell is not acceptable, > (a ten year old version of bash 3.0) > and cannot be changed without weeks or months of burocracy , if at all.Oh, but you could install a new sshd there?> I built & installed the latest bash under that account, in the ~/bin directory, > but SSH will not use it.---- ~/.profile ---> case $BASH_VERSION in 3.*) exec ~/bin/bash -l ;; esac <------------------- You can build something similar with ~/.bashrc for non-login shells.> Using the client OpenSSH version : 1:6.6p1-2ubuntu2 on a linux x86_64 > Ubuntu 14.04.1 host, > if I try to specify which bash to use for an SSH command like : > $ ssh $account /home/${user}/bin/bash -c 'echo $BASH_VERSION; echo > $BASH_VERSION'; > something very weird happens - only the second statement produces any > output .Insufficient quoting. $ ssh $account "/home/${user}/bin/bash -c 'echo \$BASH_VERSION; echo \$BASH_VERSION'" -- Christian "naddy" Weisgerber naddy at mips.inka.de
On 21 Jan 2015, at 15:36, Jason Vas Dias <jason.vas.dias at gmail.com> wrote:> Please can OpenSSH provide some way of specifying which shell to use to > execute commands on a host.Using dash as an example of another shell: ssh 127.0.0.1 -t dash and ssh 127.0.0.1 dash -c env appear to do the expected for me. -- Alex Bligh
On Wed, Jan 21, 2015 at 17:29:00 +0000, Alex Bligh wrote:> > On 21 Jan 2015, at 15:36, Jason Vas Dias <jason.vas.dias at gmail.com> wrote: > > > Please can OpenSSH provide some way of specifying which shell to use to > > execute commands on a host. > > Using dash as an example of another shell: > > ssh 127.0.0.1 -t dash > > and > > ssh 127.0.0.1 dash -c env > > appear to do the expected for me. >Two years ago, I opened a bug to add support for a ForceShell option to sshd that would provide the ability to override users shells. There doesn't seem to have been much interest in it, and I never received any feedback. I haven't updated the patch since the original submission, and it may need some further work, but it might be worth a try. I don't recall it it overrides the user's shell during forced password changes, so that may be one area that needs to be addressed. -- Iain Morgan
On 1/21/2015 9:36 AM, Jason Vas Dias wrote:> Good day - > > Please can OpenSSH provide some way of specifying which shell to use to > execute commands on a host. > > For the account I need to use, the user's password shell is not acceptable, > (a ten year old version of bash 3.0) > and cannot be changed without weeks or months of burocracy , if at all. > > I built & installed the latest bash under that account, in the ~/bin directory, > but SSH will not use it. > > Using the client OpenSSH version : 1:6.6p1-2ubuntu2 on a linux x86_64 > Ubuntu 14.04.1 host, > if I try to specify which bash to use for an SSH command like : > $ ssh $account /home/${user}/bin/bash -c 'echo $BASH_VERSION; echo > $BASH_VERSION';looks like escape problem and not clear if $user should be $USER and is being done on local system... Try something like: ssh $account /home/${USER}/bin/bash -c \'echo \$BASH_VERSION\; echo \$BASH_VERSION\';> something very weird happens - only the second statement produces any > output . > If this is changed, we see only the first statement is run by the new shell, > and the second is run by the old shell: > $ ssh $account /home/${user}/bin/bash -c \ > 'set | grep BASH_VERSION; echo $BASH_VERSION' > Produces the output: > BASH_VERSION='4.3.30(1)-release' > 3.0.0(1)-release > So the first statement is run by the new shell, and the second by the old > shell. > > This appears to be a major bug in OpenSSH - should I report it ? > > Since OpenSSH provides no way to run commands with anything other > than the user's password shell, it really needs to do so. > > A simple patch would be to session.c, @ line 1746 : > > /* > * Get the shell from the password data. An empty shell field is > * legal, and means /bin/sh. > */ > shell = (pw->pw_shell[0] == 0) ? _PATH_BSHELL : pw->pw_shell; > > > One could do something like: > > char *sh; > if ( (sh=getenv("SSH_SHELL") )!= NULL ) > shell = sh; > else > shell = (pw->pw_shell[0] == 0) ? _PATH_BSHELL : pw->pw_shell; > > > Or provide some configuration option - this would probably have to > be per-server . > > Is there any hope of getting the ability to specify which shell to run > remote commands with in a forthcoming OpenSSH release, or do > I need to apply my patch and maintain my own OpenSSH branch ? > > Thanks & Regards, > Jason > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >-- Douglas E. Engert <DEEngert at gmail.com>