On Wed, Jan 21, 2015 at 17:29:00 +0000, Alex Bligh wrote:> > On 21 Jan 2015, at 15:36, Jason Vas Dias <jason.vas.dias at gmail.com> wrote: > > > Please can OpenSSH provide some way of specifying which shell to use to > > execute commands on a host. > > Using dash as an example of another shell: > > ssh 127.0.0.1 -t dash > > and > > ssh 127.0.0.1 dash -c env > > appear to do the expected for me. >Two years ago, I opened a bug to add support for a ForceShell option to sshd that would provide the ability to override users shells. There doesn't seem to have been much interest in it, and I never received any feedback. I haven't updated the patch since the original submission, and it may need some further work, but it might be worth a try. I don't recall it it overrides the user's shell during forced password changes, so that may be one area that needs to be addressed. -- Iain Morgan
Thanks Alan & Iain for your replies. RE:>> ssh 127.0.0.1 dash -c env >> >> appear to do the expected for me. >>Yes, it is easy enough to run any program on the remote host to read commands from stdin and write results to stdout ; but that means you have to send the script to execute separately: $ echo "$script" | ssh $remote_host $remote_shell and that means you must be aware on the origin host exactly what the path of $remote_shell is on the remote host. Also using $SHELL -c "$SCRIPT" on the origin host does not work if $SCRIPT contains semi-colons; only the first line terminated by a semi-colon will be run by $SHELL; remaining lines are run by the user's default shell. And that introduces a new level of quoting hell . What I'd like is an option I could put into a configuration file on $remote_host to say "sshd should use SHELL=$X for all commands", or maybe it might be nicer to be able to say: "use SHELL=$X for commands coming from host $Y or network $N" or "use SHELL=$X for commands that match the regular expression $Y" or a combination of both. The problem is of course, there appears to be no user-specific configuration file for sshd beyound ~/.ssh/rc - and I don't think that is the right file . AFAICS, sshd does not parse the user's ~/.ssh/config - this is used only by the 'ssh' client for OUTGOING commands. It appears sshd needs a per-user config file for INCOMING commands. So the patch would need to add a new "~/.ssh/sshd_config' file, which could contain lines like : # for commands coming from hosts on subnet 192.168/16, use this shell: Host 192.168/16 Shell /path/to/my/subnet.192.168/shell # for commands coming from hosts on subnet 172.16/16, use this shell: Host 172.16/16 Shell /path/to/my/subnet.172.16/shell # for commands which start with 'new_shell', use specified shell and # remove prefixing 'new_shell' : Match ^(new_shell)\ (.*) = \2 Shell /path/to/my/latest/shell If I develop such a patch, would there be any interest in it / likelihood of it being incorporated in a future OpenSSH release ? Iain, I'd be most interested to see your 'ForceShell' patch. Please could you post it ? Does it apply to commands from particular hosts, or all incoming commands ? Thanks & Regards, Jason On 21/01/2015, Iain Morgan <imorgan at nas.nasa.gov> wrote:> On Wed, Jan 21, 2015 at 17:29:00 +0000, Alex Bligh wrote: >> >> On 21 Jan 2015, at 15:36, Jason Vas Dias <jason.vas.dias at gmail.com> >> wrote: >> >> > Please can OpenSSH provide some way of specifying which shell to use to >> > execute commands on a host. >> >> Using dash as an example of another shell: >> >> ssh 127.0.0.1 -t dash >> >> and >> >> ssh 127.0.0.1 dash -c env >> >> appear to do the expected for me. >> > > Two years ago, I opened a bug to add support for a ForceShell option > to sshd that would provide the ability to override users shells. There > doesn't seem to have been much interest in it, and I never received any > feedback. > > I haven't updated the patch since the original submission, and it may > need some further work, but it might be worth a try. I don't recall it > it overrides the user's shell during forced password changes, so that > may be one area that needs to be addressed. > > -- > Iain Morgan >
On Thu, Jan 22, 2015 at 14:17:13 +0000, Jason Vas Dias wrote:> Thanks Alan & Iain for your replies. > RE: > >> ssh 127.0.0.1 dash -c env > >> > >> appear to do the expected for me. > >> > Yes, it is easy enough to run any program on the remote host > to read commands from stdin and write results to stdout ; > but that means you have to send the script to execute separately: > $ echo "$script" | ssh $remote_host $remote_shell > and that means you must be aware on the origin host > exactly what the path of $remote_shell is on the remote host. > Also using $SHELL -c "$SCRIPT" on the origin host does not work if > $SCRIPT contains semi-colons; only the first line terminated by > a semi-colon will be run by $SHELL; remaining lines are run > by the user's default shell. And that introduces a new level > of quoting hell . > > What I'd like is an option I could put into a configuration file on > $remote_host to say "sshd should use SHELL=$X for all commands", or > maybe it might be nicer to be able to say: > "use SHELL=$X for commands coming from host $Y or network $N" > or "use SHELL=$X for commands that match the regular expression $Y" > or a combination of both. > > The problem is of course, there appears to be no user-specific > configuration file for sshd beyound ~/.ssh/rc - and I don't think > that is the right file . AFAICS, sshd does not parse the user's > ~/.ssh/config - this is used only by the 'ssh' client for OUTGOING commands. > > It appears sshd needs a per-user config file for INCOMING commands. > > So the patch would need to add a new "~/.ssh/sshd_config' file, which > could contain lines like : > # for commands coming from hosts on subnet 192.168/16, use this shell: > Host 192.168/16 > Shell /path/to/my/subnet.192.168/shell > # for commands coming from hosts on subnet 172.16/16, use this shell: > Host 172.16/16 > Shell /path/to/my/subnet.172.16/shell > # for commands which start with 'new_shell', use specified shell and > # remove prefixing 'new_shell' : > Match ^(new_shell)\ (.*) = \2 > Shell /path/to/my/latest/shell > > If I develop such a patch, would there be any interest in it / likelihood > of it being incorporated in a future OpenSSH release ? > > Iain, I'd be most interested to see your 'ForceShell' patch. > Please could you post it ? Does it apply to commands from > particular hosts, or all incoming commands ? > > Thanks & Regards, > Jason >First, my apologies for not including the URL or bugzilla ID. The bug (and patch) can be found at: https://bugzilla.mindrot.org/show_bug.cgi?id=2062 The patch adds a ForceShell option to sshd_config, similar to ForceCommand, except that it overrides the shell used to invoke remote commands or for interactive sessions. With such an option, you could use a Match block to override the shell for particular users, and could do so based on the client host or any other criteria supported by the match directive. For example: Match User sombody Host foo.example.com ForceShell /bin/dash As noted above, it is an sshd_config option, and thus cannot be set directly by the user. From a policy enforcement standpoint, this seems the better way to approach things. Unfortunately, I haven't touched the patch in two years, so I'm not sure if it still applies cleanly. I'll see if I can set aside some time to update the patch, but that may be a week or two away. Feel free to give it a try in the meantime. -- Iain Morgan
> What I'd like is an option I could put into a configuration file on > $remote_host to say "sshd should use SHELL=$X for all commands", or > maybe it might be nicer to be able to say: > "use SHELL=$X for commands coming from host $Y or network $N" > or "use SHELL=$X for commands that match the regular expression $Y" > or a combination of both.Why not create an additional user on $remote, reusing the same UID and groups, and giving that user the "right" shell?
On 22/01/15 15:17, Jason Vas Dias wrote:> Thanks Alan& Iain for your replies. > RE: >>> ssh 127.0.0.1 dash -c env >>> >>> appear to do the expected for me. >>> > Yes, it is easy enough to run any program on the remote host > to read commands from stdin and write results to stdout ; > but that means you have to send the script to execute separately: > $ echo "$script" | ssh $remote_host $remote_shell > and that means you must be aware on the origin host > exactly what the path of $remote_shell is on the remote host. > Also using $SHELL -c "$SCRIPT" on the origin host does not work if > $SCRIPT contains semi-colons; only the first line terminated by > a semi-colon will be run by $SHELL; remaining lines are run > by the user's default shell. And that introduces a new level > of quoting hell . > > What I'd like is an option I could put into a configuration file on > $remote_host to say "sshd should use SHELL=$X for all commands", or > maybe it might be nicer to be able to say: > "use SHELL=$X for commands coming from host $Y or network $N" > or "use SHELL=$X for commands that match the regular expression $Y" > or a combination of both.(...) Edit ~/.ssh/authorized_keys in the remote host and set for your key:? command="/bin/bash -c 'if [ -z \"$SSH_ORIGINAL_COMMAND\" ]; then exec /bin/good-shell \"$@\"; else exec /bin/good-shell -c \"$SSH_ORIGINAL_COMMAND\"; fi'" The "choose shell based on subnet" can be implemented by pointing to a shell script that parses $SSH_CONNECTION. ?This will only work when you authenticate with public key, but if you were routinely executing remote commands like that and entering the key manually each time, you would already be doing things the Wrong Way. Regards