chris at qwirx
Mar 23, 2008, 8:19 AM
Post #2 of 2
(510 views)
Permalink
|
|
Re: ForceCommand and NFS-shared home directories (was re: openssh-unix-dev Digest, Vol 59, Issue 12)
[In reply to]
|
|
Hi Jeremy and Mikhail,
Jeremy, thanks for offering assistance but please don't top-post, it
doesn't help us to follow the thread (especially with that subject line).
I've rearranged the posts here for the benefit of others.
> On Mar 22, 2008, at 3:32 PM, openssh-unix-dev-request [at] mindrot wrote:
>
>> As I understand the "ForceCommand" in the sshd_confing file is meant to
>> ignore any command supplied by the client, but if user's home is shared
>> by server and client machines over network (ex. NFS) then user can
>> still put something else into ~/.ssh/rc file and overcome this
>> limitation. Is it possible to disable execution of the ~/.ssh/rc file
>> in such a case?
On Sun, 23 Mar 2008, Jeremy McMillan wrote:
> This problem can be solved by chowning the rc (and user conf files)
> files to some other user and chmod'ing the group and other write bits
> off. I say this because usually, when people use "ForceCommand" the
> intention is to severely restrict a particular account. Going down
> this path requires that you do a lot of homework around restricted
> shells/profiles/etc. and changes you might need to make to the
> default environment your OS provides. Ssh cannot and should not be
> expected to encapsulate all of the things that need attention if this
> is your goal.
Unfortunately I don't believe that you are correct in general.
If the user has read-write access to their home directory, and it's not
protected by some bizarre magical filesystem, then they can replace .ssh
at will. For example:
mkdir ~/.ssh2
echo "echo 'Hello there!'" > ~/.ssh2/rc
mv ~/.ssh ~/.ssh.old
mv ~/.ssh2 ~/.ssh
This should be possible, whatever permissions you place on ~/.ssh or its
contents. If you can see a flaw in my logic then I'd be very interested to
hear it.
Mikhail, I don't believe there is an option to disable the rc file at
present, but it sounds like a useful thing to add.
Cheers, Chris.
--
_ ___ __ _
/ __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
|
