diff options
author | Damien Miller <djm@mindrot.org> | 2006-07-24 14:06:47 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2006-07-24 14:06:47 +1000 |
commit | e275443f66aab6d46356d6940b8a8b291cab4f9e (patch) | |
tree | cd72ec0001cf412475f5348aa83c830252d0e1ce | |
parent | d1de9950e5ae91584aa955a4f85c9c7579aa76af (diff) |
- dtucker@cvs.openbsd.org 2006/07/19 13:07:10
[servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5]
Add ForceCommand keyword to sshd_config, equivalent to the "command="
key option, man page entry and example in sshd_config.
Feedback & ok djm@, man page corrections & ok jmc@
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | servconf.c | 22 | ||||
-rw-r--r-- | servconf.h | 4 | ||||
-rw-r--r-- | session.c | 10 | ||||
-rw-r--r-- | sshd.8 | 5 | ||||
-rw-r--r-- | sshd_config | 8 | ||||
-rw-r--r-- | sshd_config.5 | 15 |
7 files changed, 61 insertions, 10 deletions
@@ -56,6 +56,11 @@ | |||
56 | [servconf.c sshd_config.5] | 56 | [servconf.c sshd_config.5] |
57 | Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to | 57 | Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to |
58 | Match. ok djm@ | 58 | Match. ok djm@ |
59 | - dtucker@cvs.openbsd.org 2006/07/19 13:07:10 | ||
60 | [servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5] | ||
61 | Add ForceCommand keyword to sshd_config, equivalent to the "command=" | ||
62 | key option, man page entry and example in sshd_config. | ||
63 | Feedback & ok djm@, man page corrections & ok jmc@ | ||
59 | 64 | ||
60 | 20060713 | 65 | 20060713 |
61 | - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h | 66 | - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h |
@@ -4974,4 +4979,4 @@ | |||
4974 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 4979 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
4975 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 4980 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
4976 | 4981 | ||
4977 | $Id: ChangeLog,v 1.4421 2006/07/24 04:05:48 djm Exp $ | 4982 | $Id: ChangeLog,v 1.4422 2006/07/24 04:06:47 djm Exp $ |
diff --git a/servconf.c b/servconf.c index bc457eebe..e2c1d4458 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.c,v 1.157 2006/07/19 08:56:41 dtucker Exp $ */ | 1 | /* $OpenBSD: servconf.c,v 1.158 2006/07/19 13:07:10 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -113,6 +113,7 @@ initialize_server_options(ServerOptions *options) | |||
113 | options->authorized_keys_file2 = NULL; | 113 | options->authorized_keys_file2 = NULL; |
114 | options->num_accept_env = 0; | 114 | options->num_accept_env = 0; |
115 | options->permit_tun = -1; | 115 | options->permit_tun = -1; |
116 | options->adm_forced_command = NULL; | ||
116 | } | 117 | } |
117 | 118 | ||
118 | void | 119 | void |
@@ -282,7 +283,7 @@ typedef enum { | |||
282 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, | 283 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
283 | sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, | 284 | sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, |
284 | sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, | 285 | sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, |
285 | sMatch, sPermitOpen, | 286 | sMatch, sPermitOpen, sForceCommand, |
286 | sUsePrivilegeSeparation, | 287 | sUsePrivilegeSeparation, |
287 | sDeprecated, sUnsupported | 288 | sDeprecated, sUnsupported |
288 | } ServerOpCodes; | 289 | } ServerOpCodes; |
@@ -393,6 +394,7 @@ static struct { | |||
393 | { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL }, | 394 | { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL }, |
394 | { "match", sMatch, SSHCFG_ALL }, | 395 | { "match", sMatch, SSHCFG_ALL }, |
395 | { "permitopen", sPermitOpen, SSHCFG_ALL }, | 396 | { "permitopen", sPermitOpen, SSHCFG_ALL }, |
397 | { "forcecommand", sForceCommand, SSHCFG_ALL }, | ||
396 | { NULL, sBadOption, 0 } | 398 | { NULL, sBadOption, 0 } |
397 | }; | 399 | }; |
398 | 400 | ||
@@ -551,6 +553,8 @@ match_cfg_line(char **condition, int line, const char *user, const char *host, | |||
551 | return result; | 553 | return result; |
552 | } | 554 | } |
553 | 555 | ||
556 | #define WHITESPACE " \t\r\n" | ||
557 | |||
554 | int | 558 | int |
555 | process_server_config_line(ServerOptions *options, char *line, | 559 | process_server_config_line(ServerOptions *options, char *line, |
556 | const char *filename, int linenum, int *activep, const char *user, | 560 | const char *filename, int linenum, int *activep, const char *user, |
@@ -1173,6 +1177,15 @@ parse_flag: | |||
1173 | channel_add_adm_permitted_opens(p, port); | 1177 | channel_add_adm_permitted_opens(p, port); |
1174 | break; | 1178 | break; |
1175 | 1179 | ||
1180 | case sForceCommand: | ||
1181 | if (cp == NULL) | ||
1182 | fatal("%.200s line %d: Missing argument.", filename, | ||
1183 | linenum); | ||
1184 | len = strspn(cp, WHITESPACE); | ||
1185 | if (*activep && options->adm_forced_command == NULL) | ||
1186 | options->adm_forced_command = xstrdup(cp + len); | ||
1187 | return 0; | ||
1188 | |||
1176 | case sDeprecated: | 1189 | case sDeprecated: |
1177 | logit("%s line %d: Deprecated option %s", | 1190 | logit("%s line %d: Deprecated option %s", |
1178 | filename, linenum, arg); | 1191 | filename, linenum, arg); |
@@ -1247,6 +1260,11 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src) | |||
1247 | dst->allow_tcp_forwarding = src->allow_tcp_forwarding; | 1260 | dst->allow_tcp_forwarding = src->allow_tcp_forwarding; |
1248 | if (src->gateway_ports != -1) | 1261 | if (src->gateway_ports != -1) |
1249 | dst->gateway_ports = src->gateway_ports; | 1262 | dst->gateway_ports = src->gateway_ports; |
1263 | if (src->adm_forced_command != NULL) { | ||
1264 | if (dst->adm_forced_command != NULL) | ||
1265 | xfree(dst->adm_forced_command); | ||
1266 | dst->adm_forced_command = src->adm_forced_command; | ||
1267 | } | ||
1250 | if (src->x11_display_offset != -1) | 1268 | if (src->x11_display_offset != -1) |
1251 | dst->x11_display_offset = src->x11_display_offset; | 1269 | dst->x11_display_offset = src->x11_display_offset; |
1252 | if (src->x11_forwarding != -1) | 1270 | if (src->x11_forwarding != -1) |
diff --git a/servconf.h b/servconf.h index a74716e6f..41dce7686 100644 --- a/servconf.h +++ b/servconf.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.h,v 1.75 2006/07/12 11:34:58 dtucker Exp $ */ | 1 | /* $OpenBSD: servconf.h,v 1.76 2006/07/19 13:07:10 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -135,6 +135,8 @@ typedef struct { | |||
135 | char *authorized_keys_file; /* File containing public keys */ | 135 | char *authorized_keys_file; /* File containing public keys */ |
136 | char *authorized_keys_file2; | 136 | char *authorized_keys_file2; |
137 | 137 | ||
138 | char *adm_forced_command; | ||
139 | |||
138 | int use_pam; /* Enable auth via PAM */ | 140 | int use_pam; /* Enable auth via PAM */ |
139 | 141 | ||
140 | int permit_tun; | 142 | int permit_tun; |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: session.c,v 1.209 2006/07/11 20:07:25 stevesk Exp $ */ | 1 | /* $OpenBSD: session.c,v 1.210 2006/07/19 13:07:10 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -672,10 +672,14 @@ do_pre_login(Session *s) | |||
672 | void | 672 | void |
673 | do_exec(Session *s, const char *command) | 673 | do_exec(Session *s, const char *command) |
674 | { | 674 | { |
675 | if (forced_command) { | 675 | if (options.adm_forced_command) { |
676 | original_command = command; | ||
677 | command = options.adm_forced_command; | ||
678 | debug("Forced command (config) '%.900s'", command); | ||
679 | } else if (forced_command) { | ||
676 | original_command = command; | 680 | original_command = command; |
677 | command = forced_command; | 681 | command = forced_command; |
678 | debug("Forced command '%.900s'", command); | 682 | debug("Forced command (key option) '%.900s'", command); |
679 | } | 683 | } |
680 | 684 | ||
681 | #ifdef SSH_AUDIT_EVENTS | 685 | #ifdef SSH_AUDIT_EVENTS |
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd.8,v 1.232 2006/07/10 16:04:21 jmc Exp $ | 37 | .\" $OpenBSD: sshd.8,v 1.233 2006/07/19 13:07:10 dtucker Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSHD 8 | 39 | .Dt SSHD 8 |
40 | .Os | 40 | .Os |
@@ -481,6 +481,9 @@ to restrict certain public keys to perform just a specific operation. | |||
481 | An example might be a key that permits remote backups but nothing else. | 481 | An example might be a key that permits remote backups but nothing else. |
482 | Note that the client may specify TCP and/or X11 | 482 | Note that the client may specify TCP and/or X11 |
483 | forwarding unless they are explicitly prohibited. | 483 | forwarding unless they are explicitly prohibited. |
484 | The command originally supplied by the client is available in the | ||
485 | .Ev SSH_ORIGINAL_COMMAND | ||
486 | environment variable. | ||
484 | Note that this option applies to shell, command or subsystem execution. | 487 | Note that this option applies to shell, command or subsystem execution. |
485 | .It Cm environment="NAME=value" | 488 | .It Cm environment="NAME=value" |
486 | Specifies that the string is to be added to the environment when | 489 | Specifies that the string is to be added to the environment when |
diff --git a/sshd_config b/sshd_config index 57f9a17bb..6a3cad886 100644 --- a/sshd_config +++ b/sshd_config | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ | 1 | # $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $ |
2 | 2 | ||
3 | # This is the sshd server system-wide configuration file. See | 3 | # This is the sshd server system-wide configuration file. See |
4 | # sshd_config(5) for more information. | 4 | # sshd_config(5) for more information. |
@@ -104,3 +104,9 @@ | |||
104 | 104 | ||
105 | # override default of no subsystems | 105 | # override default of no subsystems |
106 | Subsystem sftp /usr/libexec/sftp-server | 106 | Subsystem sftp /usr/libexec/sftp-server |
107 | |||
108 | # Example of overriding settings on a per-user basis | ||
109 | #Match User anoncvs | ||
110 | # X11Forwarding no | ||
111 | # AllowTcpForwarding no | ||
112 | # ForceCommand cvs server | ||
diff --git a/sshd_config.5 b/sshd_config.5 index 9196b761e..26c895f7a 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd_config.5,v 1.66 2006/07/19 08:56:41 dtucker Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.67 2006/07/19 13:07:10 dtucker Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
40 | .Os | 40 | .Os |
@@ -283,6 +283,18 @@ See | |||
283 | in | 283 | in |
284 | .Xr ssh_config 5 | 284 | .Xr ssh_config 5 |
285 | for more information on patterns. | 285 | for more information on patterns. |
286 | .It Cm ForceCommand | ||
287 | Forces the execution of the command specified by | ||
288 | .Cm ForceCommand , | ||
289 | ignoring any command supplied by the client. | ||
290 | The command is invoked by using the user's login shell with the -c option. | ||
291 | This applies to shell, command, or subsystem execution. | ||
292 | It is most useful inside a | ||
293 | .Cm Match | ||
294 | block. | ||
295 | The command originally supplied by the client is available in the | ||
296 | .Ev SSH_ORIGINAL_COMMAND | ||
297 | environment variable. | ||
286 | .It Cm GatewayPorts | 298 | .It Cm GatewayPorts |
287 | Specifies whether remote hosts are allowed to connect to ports | 299 | Specifies whether remote hosts are allowed to connect to ports |
288 | forwarded for the client. | 300 | forwarded for the client. |
@@ -484,6 +496,7 @@ Only a subset of keywords may be used on the lines following a | |||
484 | keyword. | 496 | keyword. |
485 | Available keywords are | 497 | Available keywords are |
486 | .Cm AllowTcpForwarding , | 498 | .Cm AllowTcpForwarding , |
499 | .Cm ForceCommand , | ||
487 | .Cm GatewayPorts , | 500 | .Cm GatewayPorts , |
488 | .Cm PermitOpen , | 501 | .Cm PermitOpen , |
489 | .Cm X11DisplayOffset , | 502 | .Cm X11DisplayOffset , |