Hi, the man page an docs of ssh client say "If command is specified, it is executed on the remote host instead of a login shell." But afaik this is not quite accurate. The login shell is always started. But if a command is specified it runs that command instead of just opening an interactive setting. So if a user has /dev/false as login shell, you cannot run a command on that host via ssh, because it tries to run "/dev/false <command>" or something like that. Yours David -- David Rabel Linux Consultant & Trainer Tel.: +49-1511-5908566 Mail: rabel at b1-systems.de B1 Systems GmbH Osterfeldstra?e 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20171206/53c959dd/attachment.asc>
> "If command is specified, it is executed on the remote host instead of a > login shell." > > But afaik this is not quite accurate. The login shell is always started. > But if a command is specified it runs that command instead of just > opening an interactive setting.Not quite. A "login shell" is a specific term in Unix. If means (roughly) the shell the user has defined (eg in /etc/passwd) but run in a specific way. If you look at the underly C calls you might see something like execl("/bin/sh","sh",NULL) That would run a normal shell. However execl("/bin/sh","-sh",NULL) would be a "login shell". Note the extra "-" character. This tells the shell that it is being called as a login shell, rather than a subshell. So if you do something like ssh remotehost then on the remote host it will look up the shell defined in the passwd file ( eg /bin/sh) and do something similar to execl("/bin/sh","-sh",NULL) (The exact calls are more complicated, but this is the essence; I've simplified) However if you do ssh remotehost command then it does something more like execl("/bin/sh","sh","-c",command,NULL)> So if a user has /dev/false as login shell, you cannot run a command onSo here is where your confusion over terminology led you wrong. The password file defines the shell to be used. How the shell is called determines if it is being used a login shell or not. You can read more about "login shells" if you do "man bash" and skip down to the INVOCATION section -- rgds Stephen
On 2017-12-06T15:03, Stephen Harris <lists at spuddy.org> wrote:> > So if a user has /dev/false as login shell, you cannot run a command onThe specified shells in /etc/passwd are also often checked against a list of allowed shells in /etc/shells by PAM. Users without an allowed shell (the usual entry to make there is /bin/false) are denied access, usually even in services that never spawn a shell in the first place, e.g. IMAP or graphical sessions. See also pam_shells(8). This has little to do with SSH, but it makes /bin/false a bad example for a shell here, since the aforementioned mechanism might lead to nothing being executed at all, not even /bin/false. Ciao, Alexander Wuerstlein.
Hi Stephen, thanks for that answer. On 12/06/2017 02:58 PM, Stephen Harris wrote:>> "If command is specified, it is executed on the remote host instead of a >> login shell." >> >> But afaik this is not quite accurate. The login shell is always started. >> But if a command is specified it runs that command instead of just >> opening an interactive setting. > > Not quite. A "login shell" is a specific term in Unix. If means (roughly) > the shell the user has defined (eg in /etc/passwd) but run in a specific > way.The term "login shell" also refers to the shell defined in /etc/passwd in general. For example chsh(1) says "chsh - change your login shell". So in this way it's the shell that the user uses to login, not a shell run in a specific way. I know that the second meaning is also valid and may be more common. But not to be explicit here is confusing. From the man page it is not clear if a shell is executed at all.>> So if a user has /dev/false as login shell, you cannot run a command on > > So here is where your confusion over terminology led you wrong. The > password file defines the shell to be used. How the shell is called > determines if it is being used a login shell or not. >Well, it's not actually my confusion over terminology. The terminology itself is ambiguous. We should consider this in the man page. Yours David -- David Rabel Linux Consultant & Trainer Tel.: +49-1511-5908566 Mail: rabel at b1-systems.de B1 Systems GmbH Osterfeldstra?e 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20171206/f82c602b/attachment.asc>