Secure Shell
ForceCommand executes shell Apr 19 2011 12:23PM
Walter de Jong (walter sara nl) (1 replies)
RE: ForceCommand executes shell Apr 20 2011 03:25PM
Males, Jess (jmales cio sc gov) (1 replies)
If you only ever want the user account to perform the one function, override their system shell.


Regardless of how the account logs in, telnet, ssh, &c they'll only execute that one thing.

From: listbounce (at) securityfocus (dot) com [email concealed] [listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Walter de Jong [walter (at) sara (dot) nl [email concealed]]
Sent: Tuesday, April 19, 2011 8:23 AM
To: secureshell (at) securityfocus (dot) com [email concealed]
Subject: ForceCommand executes shell


I have set up a sshd_config that uses an alternate port number and
ForceCommand to force the execution of a home-made service to our users.

ForceCommand executes the command using 'shell' '-c', and as a result
the user's .bashrc, .tcshrc, .whateverrc is being loaded -- which is
something I was trying to prevent, because I'm trying to "force a
command" upon them. In my case loading a .bashrc can be considered as a
security hole.

Is there any way around this? Maybe a different kind of setup would be
I like using ssh for the service because of its excellent authentication

I even made a patch to sshd session.c (see below) but I'd rather not
have to maintain local mods to the source.



void do_child()

argv[0] = (char *) shell0;
argv[1] = "-c";
argv[2] = (char *) command;
argv[3] = NULL;
argv[0] = "/bin/bash";
argv[1] = "--norc";
argv[2] = "--noprofile";
argv[3] = "-c";
argv[4] = (char *)command;
argv[5] = NULL;

execve(shell, argv, env);

*** If you build it, they will come ***

HPC Systems Programmer at SARA Computing and Network Services
People should be able to e-mail me, spambots should not.

[ reply ]
Re: ForceCommand executes shell Apr 21 2011 06:50AM
Walter de Jong (walter sara nl)


Privacy Statement
Copyright 2010, SecurityFocus