If you only ever want the user account to perform the one function, override their system shell. example: oper:x:519:519::/home/oper:/usr/local/bin/oper-only-ever-gets-to-do-this.sh Regardless of how the account logs in, telnet, ssh, &c they'll only execute that one thing. ________________________________________ From: listbounce@xxxxxxxxxxxxxxxxx [listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Walter de Jong [walter@xxxxxxx] Sent: Tuesday, April 19, 2011 8:23 AM To: secureshell@xxxxxxxxxxxxxxxxx Subject: ForceCommand executes shell Hi, I have set up a sshd_config that uses an alternate port number and ForceCommand to force the execution of a home-made service to our users. ForceCommand executes the command using 'shell' '-c', and as a result the user's .bashrc, .tcshrc, .whateverrc is being loaded -- which is something I was trying to prevent, because I'm trying to "force a command" upon them. In my case loading a .bashrc can be considered as a security hole. Is there any way around this? Maybe a different kind of setup would be better? I like using ssh for the service because of its excellent authentication mechanisms. I even made a patch to sshd session.c (see below) but I'd rather not have to maintain local mods to the source. Greets, --Walter void do_child() /* argv[0] = (char *) shell0; argv[1] = "-c"; argv[2] = (char *) command; argv[3] = NULL; */ argv[0] = "/bin/bash"; argv[1] = "--norc"; argv[2] = "--noprofile"; argv[3] = "-c"; argv[4] = (char *)command; argv[5] = NULL; execve(shell, argv, env); perror(shell); exit(1); -- *** If you build it, they will come *** HPC Systems Programmer at SARA Computing and Network Services People should be able to e-mail me, spambots should not.