search for: _path_ssh_user_rc

> > On Mar 22, 2008, at 3:32 PM, Chris Wilson wrote: > > > >> As I understand the "ForceCommand" in the sshd_confing file is meant to > >> ignore any command supplied by the client, but if user's home is shared > >> by server and client machines over network (ex. NFS) then user can > >> still put something else into ~/.ssh/rc file and

...oid do_rc_files(Session *s, const char *shell) @@ -1111,11 +1113,12 @@ int do_xauth; struct stat st; - do_xauth = + do_xauth = !auth_restricted(RESTRICT_X11, s->pw) && s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL; /* ignore _PATH_SSH_USER_RC for subsystems */ - if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) { + if (!s->is_subsystem && !auth_restricted(RESTRICT_RC, s->pw) && + (stat(_PATH_SSH_USER_RC, &st) >= 0)) { snprintf(cmd, sizeof cmd, "%s -c '%s %s'&q...

Hi, sorry if it is the wrong approuch to suggest improvments to OpenSSH, but here comes my suggestion: I recently stumbled upon the scponly shell which in it's chroot:ed form is an ideal solution when you want to share some files with people you trust more or less. The problem is, if you use the scponlyc as shell, port forwarding is still allowed. This can of course be dissallowed in

...quot; /* * Per-user and system-wide ssh "rc" files. These files are executed with *************** *** 101,108 **** * passed "proto cookie" as arguments if X11 forwarding with spoofing is in * use. xauth will be run if neither of these exists. */ ! #define _PATH_SSH_USER_RC ".ssh/rc" ! #define _PATH_SSH_SYSTEM_RC ETCDIR "/sshrc" /* * Ssh-only version of /etc/hosts.equiv. Additionally, the daemon may use --- 108,115 ---- * passed "proto cookie" as arguments if X11 forwarding with spoofing is in * use. xauth will be ru...