[nycbug-talk] restricted login shell and ssh
Jesse Callaway
bonsaime at gmail.com
Mon Feb 11 11:31:47 EST 2008
I popped my hand up and made a statement in the OpenSSH meeting
recently and made a completely false assertion. Tested it this
morning. I said that you could still pass commands to the shell (which
shell I was thinking of, I'm not sure...) if a user has a restricted
login, such as rsynconly. Hopefully nobody believed me. Anyway, using
the script referenced below I made a user with a restricted login. I'm
sure false or nologin would have proved it to myself more readily, but
I like to take the long way to figure out I'm wrong.
http://www.oreillynet.com/linux/blog/2006/05/restricting_rsync_over_ssh.html
So I ran
ssh sinko at server.com "ls -R"
The ls -R command was passed as an argument to the rsynonly shell, and
lo! I was not able to issue the command to "the shell" Duh.
To beat it into my skull I ran
sftp sinko at server.com
Here I got the message "Received message too long <some number>"
Short story is that I was assuming that sshd will pass commands on to
/bin/sh no matter what. Well, it doesn't. It passes commands on to the
shell specified in your login config.
Here is a nice link explaining a little bit about how the subsystems
(scp, sftp) are called.
http://www.snailbook.com/faq/sftp-corruption.auto.html
-jesse
More information about the talk
mailing list