Bugzilla – Attachment 2207 Details for
Bug 2062
Add support for a ForceShell sshd option
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Add a ForceShell option to override the user's shell
forced-shell.diff (text/plain), 4.83 KB, created by
Iain Morgan
on 2013-01-15 07:34:26 AEDT
(
hide
)
Description:
Add a ForceShell option to override the user's shell
Filename:
MIME Type:
Creator:
Iain Morgan
Created:
2013-01-15 07:34:26 AEDT
Size:
4.83 KB
patch
obsolete
>Index: auth.c >=================================================================== >RCS file: /cvs/openssh/auth.c,v >retrieving revision 1.154 >diff -u -r1.154 auth.c >--- auth.c 9 Jan 2013 04:54:48 -0000 1.154 >+++ auth.c 12 Jan 2013 02:25:42 -0000 >@@ -156,8 +156,9 @@ > * Deny if shell does not exist or is not executable unless we > * are chrooting. > */ >- if (options.chroot_directory == NULL || >- strcasecmp(options.chroot_directory, "none") == 0) { >+ if (options.adm_forced_shell == NULL && >+ (options.chroot_directory == NULL || >+ strcasecmp(options.chroot_directory, "none") == 0)) { > char *shell = xstrdup((pw->pw_shell[0] == '\0') ? > _PATH_BSHELL : pw->pw_shell); /* empty = /bin/sh */ > >Index: servconf.c >=================================================================== >RCS file: /cvs/openssh/servconf.c,v >retrieving revision 1.230 >diff -u -r1.230 servconf.c >--- servconf.c 2 Dec 2012 22:50:55 -0000 1.230 >+++ servconf.c 12 Jan 2013 02:25:43 -0000 >@@ -146,6 +146,7 @@ > options->ip_qos_interactive = -1; > options->ip_qos_bulk = -1; > options->version_addendum = NULL; >+ options->adm_forced_shell = NULL; > } > > void >@@ -334,7 +335,7 @@ > sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, > sKexAlgorithms, sIPQoS, sVersionAddendum, > sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, >- sAuthenticationMethods, >+ sAuthenticationMethods, sForceShell, > sDeprecated, sUnsupported > } ServerOpCodes; > >@@ -463,6 +464,7 @@ > { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, > { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, > { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, >+ { "forceshell", sForceShell, SSHCFG_ALL }, > { NULL, sBadOption, 0 } > }; > >@@ -1552,6 +1554,15 @@ > } > return 0; > >+ case sForceShell: >+ if (cp == NULL) >+ fatal("%.200s line %d: Missing argument.", filename, >+ linenum); >+ len = strspn(cp, WHITESPACE); >+ if (*activep && options->adm_forced_shell == NULL) >+ options->adm_forced_shell = xstrdup(cp + len); >+ return 0; >+ > case sDeprecated: > logit("%s line %d: Deprecated option %s", > filename, linenum, arg); >@@ -1731,6 +1742,7 @@ > > M_CP_STROPT(adm_forced_command); > M_CP_STROPT(chroot_directory); >+ M_CP_STROPT(adm_forced_shell); > } > > #undef M_CP_INTOPT >@@ -1968,6 +1980,7 @@ > dump_cfg_string(sVersionAddendum, o->version_addendum); > dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); > dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); >+ dump_cfg_string(sForceShell, o->adm_forced_shell); > > /* string arguments requiring a lookup */ > dump_cfg_string(sLogLevel, log_level_name(o->log_level)); >Index: servconf.h >=================================================================== >RCS file: /cvs/openssh/servconf.h,v >retrieving revision 1.99 >diff -u -r1.99 servconf.h >--- servconf.h 9 Jan 2013 04:56:45 -0000 1.99 >+++ servconf.h 12 Jan 2013 02:25:43 -0000 >@@ -180,6 +180,7 @@ > > u_int num_auth_methods; > char *auth_methods[MAX_AUTH_METHODS]; >+ char *adm_forced_shell; > } ServerOptions; > > /* Information about the incoming connection as used by Match */ >Index: session.c >=================================================================== >RCS file: /cvs/openssh/session.c,v >retrieving revision 1.415 >diff -u -r1.415 session.c >--- session.c 2 Dec 2012 22:50:55 -0000 1.415 >+++ session.c 12 Jan 2013 02:25:43 -0000 >@@ -821,7 +821,9 @@ > else if (s->ttyfd == -1) { > char *shell = s->pw->pw_shell; > >- if (shell[0] == '\0') /* empty shell means /bin/sh */ >+ if (options.adm_forced_shell) >+ shell = options.adm_forced_shell; >+ else if (shell[0] == '\0') /* empty shell means /bin/sh */ > shell =_PATH_BSHELL; > PRIVSEP(audit_run_command(shell)); > } >@@ -1679,6 +1681,8 @@ > * legal, and means /bin/sh. > */ > shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; >+ if (options.adm_forced_shell) >+ shell = options.adm_forced_shell; > > /* > * Make sure $SHELL points to the shell from the password file, >Index: sshd_config.5 >=================================================================== >RCS file: /cvs/openssh/sshd_config.5,v >retrieving revision 1.160 >diff -u -r1.160 sshd_config.5 >--- sshd_config.5 9 Jan 2013 05:12:19 -0000 1.160 >+++ sshd_config.5 12 Jan 2013 02:25:43 -0000 >@@ -456,6 +456,14 @@ > will force the use of an in-process sftp server that requires no support > files when used with > .Cm ChrootDirectory . >+.It Cm ForceShell >+Executes the command specified by >+.Cm ForceShell >+in place of the user's normal login shell. >+This applies to shell, command, or subsystem execution. >+It is most useful inside a >+.Cm Match >+block. > .It Cm GatewayPorts > Specifies whether remote hosts are allowed to connect to ports > forwarded for the client. >@@ -785,6 +793,7 @@ > .Cm DenyGroups , > .Cm DenyUsers , > .Cm ForceCommand , >+.Cm ForceShell , > .Cm GatewayPorts , > .Cm GSSAPIAuthentication , > .Cm HostbasedAuthentication ,
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2207">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2062
:
2207
|
2535