On Thu, Jan 22, 2015 at 14:17:13 +0000, Jason Vas Dias wrote: > Thanks Alan & Iain for your replies. > RE: > >> ssh 127.0.0.1 dash -c env > >> > >> appear to do the expected for me. > >> > Yes, it is easy enough to run any program on the remote host > to read commands from stdin and write results to stdout ; > but that means you have to send the script to execute separately: > $ echo "$script" | ssh $remote_host $remote_shell > and that means you must be aware on the origin host > exactly what the path of $remote_shell is on the remote host. > Also using $SHELL -c "$SCRIPT" on the origin host does not work if > $SCRIPT contains semi-colons; only the first line terminated by > a semi-colon will be run by $SHELL; remaining lines are run > by the user's default shell. And that introduces a new level > of quoting hell . > > What I'd like is an option I could put into a configuration file on > $remote_host to say "sshd should use SHELL=$X for all commands", or > maybe it might be nicer to be able to say: > "use SHELL=$X for commands coming from host $Y or network $N" > or "use SHELL=$X for commands that match the regular expression $Y" > or a combination of both. > > The problem is of course, there appears to be no user-specific > configuration file for sshd beyound ~/.ssh/rc - and I don't think > that is the right file . AFAICS, sshd does not parse the user's > ~/.ssh/config - this is used only by the 'ssh' client for OUTGOING commands. > > It appears sshd needs a per-user config file for INCOMING commands. > > So the patch would need to add a new "~/.ssh/sshd_config' file, which > could contain lines like : > # for commands coming from hosts on subnet 192.168/16, use this shell: > Host 192.168/16 > Shell /path/to/my/subnet.192.168/shell > # for commands coming from hosts on subnet 172.16/16, use this shell: > Host 172.16/16 > Shell /path/to/my/subnet.172.16/shell > # for commands which start with 'new_shell', use specified shell and > # remove prefixing 'new_shell' : > Match ^(new_shell)\ (.*) = \2 > Shell /path/to/my/latest/shell > > If I develop such a patch, would there be any interest in it / likelihood > of it being incorporated in a future OpenSSH release ? > > Iain, I'd be most interested to see your 'ForceShell' patch. > Please could you post it ? Does it apply to commands from > particular hosts, or all incoming commands ? > > Thanks & Regards, > Jason > First, my apologies for not including the URL or bugzilla ID. The bug (and patch) can be found at: https://bugzilla.mindrot.org/show_bug.cgi?id=2062 The patch adds a ForceShell option to sshd_config, similar to ForceCommand, except that it overrides the shell used to invoke remote commands or for interactive sessions. With such an option, you could use a Match block to override the shell for particular users, and could do so based on the client host or any other criteria supported by the match directive. For example: Match User sombody Host foo.example.com ForceShell /bin/dash As noted above, it is an sshd_config option, and thus cannot be set directly by the user. From a policy enforcement standpoint, this seems the better way to approach things. Unfortunately, I haven't touched the patch in two years, so I'm not sure if it still applies cleanly. I'll see if I can set aside some time to update the patch, but that may be a week or two away. Feel free to give it a try in the meantime. -- Iain Morgan _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev