Ssh forced command for system users.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi !

  I just notice this behaviour (I guess I was not paying enough
attention). While working on setting up integration testing for a
project of mine, that works through ssh, I had issues that I could not
reproduce on my development machine. The problem stemmed in the fact
that the CI system running the test suite is a user with its shell set
to /usr/sbin/nologin (Buildbot, on a Debian system, but OpenBSD's
_buildslave user has a similar with its shell set to /sbin/nologin).

When a user is set-up this way, setting a forced command in its
~/.ssh/authorized_keys file is pointless. Indeed ssh launches the
forced command through a shell. Which shell is launched is
determined with getpwnam, which returns /usr/sbin/nologin. Thus the failure.

I was wondering why SSH uses a shell to start a forced command (one
hypothesis I have is to
set up a proper environment for the subsequent session (setting PATH,
HOME, ...), which I think
SSH does not do. Does this not counter-act the purpose of forced command ?

On the other side what are the real benefits, security-wise, of
setting the users shell to /sbin/nologin (or similar command from),
apart from: preventing local log in or preventing the use system(2)
(why does this still exists !?), but which may not be a small threat
given how many scripting languages still binds it.

Any comments ? Any ways to circumvent this ? Or shouldn't ssh not use
a shell to launch forced commands ? I looked in the archive, and its
seems to me this issue has not been raised before. My apologies if it
has.

Regards,
Nicolas.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux