How to limite remote command execution

[Markus Moeller]

Hi

I'd like to limit commands of a user by using a restricted shell

# su - ruser
ruser@opensuse12:/home/ruser> cat /etc/passwd
-rksh: cat: not found [No such file or directory]
ruser@opensuse12:/home/ruser>

but when I use remote commands I get

ssh ruser@opensuse12 cat /etc/passwd | grep ruser
Password:
ruser:x:1002:100::/home/ruser:/usr/bin/rksh


How can I force ssh to use rksh ?

Thank you
Markus

[Wolfgang Meiners]

Am 27.03.13 21:35, schrieb Markus Moeller:

This is interesting.
Obviously you changed the default user shell by chsh. On
http://serverfault.com/questions/106722/choosing-the-shell-that-ssh-uses
I found

'man chsh changes shell, does not always work

Alternatively, you can stick exec /bin/zsh in your bash login
script.this will replace bash instance with your shell.

Or you can do ssh host "zsh -l"
'

to use zsh but I think this is not possible for a restricted shell. You
could simply exit the shell and have sh again. (I did'nt try it out).

Maybe you can find a solution in man sshd if you search for
LOGIN PROCESS
and figure out what is going wrong.

A second possible solution might be to use PubKeyAuthentication for
ruser and to force the key to load rksh. Read man sshd and search for
AUTHORIZED_KEYS FILE FORMAT

A third possible solution might be to use
ForceCommand
in /etc/sshd_config inside a Match block.

Hope it helps.
Wolfgang

[Markus Moeller]

I did some more checks and it is my misunderstanding how rksh works. ssh
executes the users shell with a -c <command> <args> and although rksh is a
restricted shell it will execute anything with -c because the PATH is set to
the default including /usr/bin, etc

Is there a way to change the PATH so that rksh would work as expected ?

Markus

"Wolfgang Meiners" <Wolfgang...@web.de> wrote in message
news:5154383c$0$6577$9b4e...@newsspool3.arcor-online.net...

[Alan J Rosenthal]

"Markus Moeller" <hua...@moeller.plus.com> writes:
...

>How can I force ssh to use rksh ?

I think that from what you've posted, it _is_ invoking rksh.
Try "ssh ruser@opensuse12 ps xg" and I suspect that you will see that it is.

If I'm right so far, next try "ssh ruser@opensuse12 echo \$PATH" (the
backslash prevents the variable from being expanded on the machine you're
typing it on, leaving it to be expanded on "opensuse12") and I suspect you
will find that the PATH variable is not using the restricted directory.
Perhaps your setting is in the wrong dotfile.

[unruh]

[Markus Moeller]

Hi,

I had to add my own script to call rksh and I had to link sftp-server and
scp into the rbin directory so that I could still use scp/sftp.

Maybe it is of use to someone.

#!/bin/ksh
trap "" 2 3
RPATH=/usr/rbin
/bin/logger -p auth.debug -t rksh "Arguments read $*"
if [ -n "$*" ]; then
arg1=$1
shift
set -A args $*
if [ ${#args[*]} -gt 0 ]; then
# Remove path of sftp-server to enforce use of RPATH
args[0]=`/usr/bin/basename ${args[0]}`
export PATH=$RPATH
trap 2 3
exec /usr/bin/rksh $arg1 "${args[*]}"
else
export PATH=$RPATH
trap 2 3
exec /usr/bin/rksh $arg1
fi
else
export PATH=$RPATH
trap 2 3
exec /usr/bin/rksh
fi

Markus

"Alan J Rosenthal" <fl...@dgp.toronto.edu> wrote in message
news:2013Mar29.0...@jarvis.cs.toronto.edu...

[Richard E. Silverman]

It should use the remote account's login shell, generally. It can be
overriden by login.conf (login_getcapstr(3)) in some environments; is
that happening?

- Richard