Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Users

ForceCommand executes shell

 

 

OpenSSH users RSS feed   Index | Next | Previous | View Threaded


walter at sara

Apr 19, 2011, 5:23 AM

Post #1 of 3 (5792 views)
Permalink
ForceCommand executes shell

Hi,

I have set up a sshd_config that uses an alternate port number and
ForceCommand to force the execution of a home-made service to our users.

ForceCommand executes the command using 'shell' '-c', and as a result
the user's .bashrc, .tcshrc, .whateverrc is being loaded -- which is
something I was trying to prevent, because I'm trying to "force a
command" upon them. In my case loading a .bashrc can be considered as a
security hole.

Is there any way around this? Maybe a different kind of setup would be
better?
I like using ssh for the service because of its excellent authentication
mechanisms.

I even made a patch to sshd session.c (see below) but I'd rather not
have to maintain local mods to the source.


Greets,

--Walter


void do_child()

/*
argv[0] = (char *) shell0;
argv[1] = "-c";
argv[2] = (char *) command;
argv[3] = NULL;
*/
argv[0] = "/bin/bash";
argv[1] = "--norc";
argv[2] = "--noprofile";
argv[3] = "-c";
argv[4] = (char *)command;
argv[5] = NULL;

execve(shell, argv, env);
perror(shell);
exit(1);


--
*** If you build it, they will come ***

HPC Systems Programmer at SARA Computing and Network Services
People should be able to e-mail me, spambots should not.


jmales at cio

Apr 20, 2011, 8:25 AM

Post #2 of 3 (5653 views)
Permalink
RE: ForceCommand executes shell [In reply to]

If you only ever want the user account to perform the one function, override their system shell.

example:
oper:x:519:519::/home/oper:/usr/local/bin/oper-only-ever-gets-to-do-this.sh

Regardless of how the account logs in, telnet, ssh, &c they'll only execute that one thing.



________________________________________
From: listbounce [at] securityfocus [listbounce [at] securityfocus] On Behalf Of Walter de Jong [walter [at] sara]
Sent: Tuesday, April 19, 2011 8:23 AM
To: secureshell [at] securityfocus
Subject: ForceCommand executes shell

Hi,

I have set up a sshd_config that uses an alternate port number and
ForceCommand to force the execution of a home-made service to our users.

ForceCommand executes the command using 'shell' '-c', and as a result
the user's .bashrc, .tcshrc, .whateverrc is being loaded -- which is
something I was trying to prevent, because I'm trying to "force a
command" upon them. In my case loading a .bashrc can be considered as a
security hole.

Is there any way around this? Maybe a different kind of setup would be
better?
I like using ssh for the service because of its excellent authentication
mechanisms.

I even made a patch to sshd session.c (see below) but I'd rather not
have to maintain local mods to the source.


Greets,

--Walter


void do_child()

/*
argv[0] = (char *) shell0;
argv[1] = "-c";
argv[2] = (char *) command;
argv[3] = NULL;
*/
argv[0] = "/bin/bash";
argv[1] = "--norc";
argv[2] = "--noprofile";
argv[3] = "-c";
argv[4] = (char *)command;
argv[5] = NULL;

execve(shell, argv, env);
perror(shell);
exit(1);


--
*** If you build it, they will come ***

HPC Systems Programmer at SARA Computing and Network Services
People should be able to e-mail me, spambots should not.


walter at sara

Apr 20, 2011, 11:50 PM

Post #3 of 3 (5670 views)
Permalink
Re: ForceCommand executes shell [In reply to]

Hi,

This works, but ruins the possiblity of having a normal shell on the
standard port 22.

Another note, if you want the possibility of letting the user specify
any command-line arguments, oper-only-ever-gets-to-do-this.sh should
accept the '-c' argument as sshd executes 'shell' '-c'.

Something else, I noticed that an scp also triggers the execution of
~/.bashrc and ~/.ssh/rc on the remote side. Isn't this odd?


Greets,

--Walter


On 04/20/2011 05:25 PM, Males, Jess wrote:
> If you only ever want the user account to perform the one function, override their system shell.
>
> example:
> oper:x:519:519::/home/oper:/usr/local/bin/oper-only-ever-gets-to-do-this.sh
>
> Regardless of how the account logs in, telnet, ssh, &c they'll only execute that one thing.
>
>
>
> ________________________________________
> From: listbounce [at] securityfocus [listbounce [at] securityfocus] On Behalf Of Walter de Jong [walter [at] sara]
> Sent: Tuesday, April 19, 2011 8:23 AM
> To: secureshell [at] securityfocus
> Subject: ForceCommand executes shell
>
> Hi,
>
> I have set up a sshd_config that uses an alternate port number and
> ForceCommand to force the execution of a home-made service to our users.
>
> ForceCommand executes the command using 'shell' '-c', and as a result
> the user's .bashrc, .tcshrc, .whateverrc is being loaded -- which is
> something I was trying to prevent, because I'm trying to "force a
> command" upon them. In my case loading a .bashrc can be considered as a
> security hole.
>
> Is there any way around this? Maybe a different kind of setup would be
> better?
> I like using ssh for the service because of its excellent authentication
> mechanisms.
>
> I even made a patch to sshd session.c (see below) but I'd rather not
> have to maintain local mods to the source.
>
>
> Greets,
>
> --Walter
>
>
> void do_child()
>
> /*
> argv[0] = (char *) shell0;
> argv[1] = "-c";
> argv[2] = (char *) command;
> argv[3] = NULL;
> */
> argv[0] = "/bin/bash";
> argv[1] = "--norc";
> argv[2] = "--noprofile";
> argv[3] = "-c";
> argv[4] = (char *)command;
> argv[5] = NULL;
>
> execve(shell, argv, env);
> perror(shell);
> exit(1);
>
>
> --
> *** If you build it, they will come ***
>
> HPC Systems Programmer at SARA Computing and Network Services
> People should be able to e-mail me, spambots should not.

--
*** If you build it, they will come ***

HPC Systems Programmer at SARA Computing and Network Services
People should be able to e-mail me, spambots should not.

OpenSSH users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.