similar to: ForceCommand and NFS-shared home directories

Hi, As I understand the "ForceCommand" in the sshd_confing file is meant to ignore any command supplied by the client, but if user's home is shared by server and client machines over network (ex. NFS) then user can still put something else into ~/.ssh/rc file and overcome this limitation. Is it possible to disable execution of the ~/.ssh/rc file in such a case? Thaks, Mike

This problem can be solved by chowning the rc (and user conf files) files to some other user and chmod'ing the group and other write bits off. I say this because usually, when people use "ForceCommand" the intention is to severely restrict a particular account. Going down this path requires that you do a lot of homework around restricted shells/profiles/etc. and changes you

Hi, This patch makes things like ForceCommand internal-sftp -l INFO work (current code in 5.1 would just end the session). Please consider for inclusion into mainline. Michael. --- /var/tmp/session.c 2008-08-18 21:07:10.000000000 -0700 +++ session.c 2008-08-18 21:12:51.000000000 -0700 @@ -781,7 +781,7 @@ if (options.adm_forced_command) { original_command = command;

https://bugzilla.mindrot.org/show_bug.cgi?id=1599 Summary: "ForceCommand internal-sftp" not working as expected Product: Portable OpenSSH Version: 5.2p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org

The previous version broke the case of internal-sftp without arguments. This is a fixed version. --- /var/tmp/session.c 2008-08-18 21:07:10.000000000 -0700 +++ session.c 2008-08-19 11:28:29.000000000 -0700 @@ -781,7 +781,7 @@ if (options.adm_forced_command) { original_command = command; command = options.adm_forced_command; - if

https://bugzilla.mindrot.org/show_bug.cgi?id=2281 Bug ID: 2281 Summary: sshd accepts empty arguments in ForceCommand and VersionAddendum Product: Portable OpenSSH Version: 6.6p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd

Hello, I am trying to force a command for all users *except* for users in the "wheel" group. My idea was to do the following in sshd_config: ForceCommand /usr/bin/validate-ssh-command Match Group wheel ForceCommand But obviously this doesn't work, because ForceCommand requires an argument. I couldn't find a way to achieve what I want. I wrote a patch that adds a

https://bugzilla.mindrot.org/show_bug.cgi?id=1527 Summary: ForceCommand internal-sftp needs a way to enable logging Product: Portable OpenSSH Version: 5.1p1 Platform: Itanium2 OS/Version: HP-UX Status: NEW Severity: minor Priority: P4 Component: sftp-server AssignedTo:

Hi guys, I have a server setup with openssh-5.0p1 and use some users as sftp-only chroot accounts. The following configuration yields exactly the result I want: user is chrooted, logs to syslog, all is good. #================================================# Subsystem sftp internal-sftp -f AUTHPRIV -l VERBOSE Match User fredwww ChrootDirectory %h #ForceCommand internal-sftp

Hi All First of all apologize for my bad English ? it is not my native language. I'm using ssh for my everyday work. And I have noticed strange behaviour in sshd daemon. In sshd_config file there is option ForceCommand, and if I'm making sftp connection it look like command is also executed, I receive error message and connection is lost. In my opinion ForceCommand should not be

https://bugzilla.mindrot.org/show_bug.cgi?id=2486 Bug ID: 2486 Summary: allow ForceCommand none or similar Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org

Hello List, I'am using the ForceCommand in my sshd configuration to log all the user actions on my device. ForceCommand /usr/bin/log-session.sh The Log Session Script itself is working fine for logging. But now I want also use SCP to copy files and this won't work together with the ForceCommand above. The copied file is created but its zero byte on the target. scp file.tar.gz

Hi Peter, What I am looking for is an SSHD configuration where every successfully authenticated connection also guaranteedly will lead to a ForcedCommand invocation. Currently I understand this to be the case only for the connections that open channel to deliver a terminal, command or SFTP (I don't know if you have a collective name for such non-forwarding channels). Is this possible?

https://bugzilla.mindrot.org/show_bug.cgi?id=1606 Summary: internal-sftp does not drop conections properly, it will hang Product: Portable OpenSSH Version: 5.2p1 Platform: Itanium OS/Version: HP-UX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo:

Hello everybody, I'm a C/C++ consultant working for Ericsson. I changed the OpenSSH-Portable code to add a new criteria into the Match sshd_config option read by the sshd server. The new criteria is "Subsystem"; so a conditional block based on subsystem client request can now be added to the sshd_config configuration server file to override settings in its global section.

I've hit two roadblocks while using openssh -D as a general proxy: - openssh doesn't have an internal-null, so the options are to either give the user account a real shell and ForceCommand, or set the shell to something like /bin/cat and ChrootDirectory. I don't want proxy-only accounts to have a shell at all. - Comparing mini-httpd SSL/aes256 vs mini-httpd (localhost/no SSL) via

Hallo. If `sshd` is configured to have a ForceCommand, no `ssh ?N` must skip this *forced* server?s setup, isn?t it? But it isn?t so. Thus, admin may think that the command is forced by a server, but user can skip that. In such case only port forwarding is available, but anyway *force* is meaningless, IMHO. -- sed 'sed && sh + olecom = love'? <<? '' -o--=O`C

I would like to implement an arbitrary script to be executed when logging on via SSH. This is supposedly possible using the ForceCommand option to sshd. However, as soon as I implement any script, even as simple as echoing a string, clients can no longer connect to the server. Clients report only that the connection was dropped by the server. The server, in debug mode, shows: Feb 17 16:14:01

Hi, We're developing an open source project that uses SSH certificates. We issue short lived certificates (few minutes) to execute commands on behalf of users. We have a use case where we need to issue certificates with 10 days validity and store them, so we put a command inside them: ssh-keygen -s ca-key -I certN -n user -O force-command="wget something" -V +10d user-key.pub and

Gert, Thank you for the feedback. Can you give any further direction on where to get more information on what you are describing? On Wed, Feb 17, 2016 at 3:17 PM, Gert Doering <gert at greenie.muc.de> wrote: > Hi, > > On Wed, Feb 17, 2016 at 12:59:57PM -0600, Lesley Kimmel wrote: > > I would like to implement an arbitrary script to be executed when logging > > on via