Bug 935 - Restrict commands in sshd_config
Summary: Restrict commands in sshd_config
Status: CLOSED WONTFIX
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 3.8.1p1
Hardware: All Linux
: P2 enhancement
Assignee: OpenSSH Bugzilla mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-09-27 13:07 AEST by Chris Jensen
Modified: 2006-10-07 11:37 AEST (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Jensen 2004-09-27 13:07:39 AEST 
It would be nice if the sshd_config could specify a restricted set of commands
that could be executed, or even force a command like the "command=" option in
authorized_keys

The use of authorized_keys is not appropriate in our case because
1) We wish to enforce this for multiple users and creating and deploying a
private/public key pair for each remote user is time consuming and cumbersome.
It's also a step that can be potentially forgotten each time a new user is added.
2) For technical reasons, the user must type their password to login so that a
pam module may capture it.

I've asked on the security focus ssh list about this, but all the responses
pointed me to authorized_keys, so I'm guessing that means that it isn't implemented.
Comment 1 Damien Miller 2004-12-06 17:21:36 AEDT 
If you want to force a user to run a specific command, just make it their login
shell. Alternately, you can use some sort of restricted shell (rbash, rssh, etc.)
Comment 2 Darren Tucker 2006-10-07 11:37:17 AEST 
Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.