summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ChangeLog7
-rw-r--r--servconf.c22
-rw-r--r--servconf.h4
-rw-r--r--session.c10
-rw-r--r--sshd.85
-rw-r--r--sshd_config8
-rw-r--r--sshd_config.515
7 files changed, 61 insertions, 10 deletions
diff --git a/ChangeLog b/ChangeLog
index e42f8a786..0ae5d3f6c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -56,6 +56,11 @@
56 [servconf.c sshd_config.5] 56 [servconf.c sshd_config.5]
57 Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to 57 Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to
58 Match. ok djm@ 58 Match. ok djm@
59 - dtucker@cvs.openbsd.org 2006/07/19 13:07:10
60 [servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5]
61 Add ForceCommand keyword to sshd_config, equivalent to the "command="
62 key option, man page entry and example in sshd_config.
63 Feedback & ok djm@, man page corrections & ok jmc@
59 64
6020060713 6520060713
61 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h 66 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h
@@ -4974,4 +4979,4 @@
4974 - (djm) Trim deprecated options from INSTALL. Mention UsePAM 4979 - (djm) Trim deprecated options from INSTALL. Mention UsePAM
4975 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu 4980 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
4976 4981
4977$Id: ChangeLog,v 1.4421 2006/07/24 04:05:48 djm Exp $ 4982$Id: ChangeLog,v 1.4422 2006/07/24 04:06:47 djm Exp $
diff --git a/servconf.c b/servconf.c
index bc457eebe..e2c1d4458 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: servconf.c,v 1.157 2006/07/19 08:56:41 dtucker Exp $ */ 1/* $OpenBSD: servconf.c,v 1.158 2006/07/19 13:07:10 dtucker Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -113,6 +113,7 @@ initialize_server_options(ServerOptions *options)
113 options->authorized_keys_file2 = NULL; 113 options->authorized_keys_file2 = NULL;
114 options->num_accept_env = 0; 114 options->num_accept_env = 0;
115 options->permit_tun = -1; 115 options->permit_tun = -1;
116 options->adm_forced_command = NULL;
116} 117}
117 118
118void 119void
@@ -282,7 +283,7 @@ typedef enum {
282 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 283 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
283 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 284 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
284 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, 285 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
285 sMatch, sPermitOpen, 286 sMatch, sPermitOpen, sForceCommand,
286 sUsePrivilegeSeparation, 287 sUsePrivilegeSeparation,
287 sDeprecated, sUnsupported 288 sDeprecated, sUnsupported
288} ServerOpCodes; 289} ServerOpCodes;
@@ -393,6 +394,7 @@ static struct {
393 { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL }, 394 { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
394 { "match", sMatch, SSHCFG_ALL }, 395 { "match", sMatch, SSHCFG_ALL },
395 { "permitopen", sPermitOpen, SSHCFG_ALL }, 396 { "permitopen", sPermitOpen, SSHCFG_ALL },
397 { "forcecommand", sForceCommand, SSHCFG_ALL },
396 { NULL, sBadOption, 0 } 398 { NULL, sBadOption, 0 }
397}; 399};
398 400
@@ -551,6 +553,8 @@ match_cfg_line(char **condition, int line, const char *user, const char *host,
551 return result; 553 return result;
552} 554}
553 555
556#define WHITESPACE " \t\r\n"
557
554int 558int
555process_server_config_line(ServerOptions *options, char *line, 559process_server_config_line(ServerOptions *options, char *line,
556 const char *filename, int linenum, int *activep, const char *user, 560 const char *filename, int linenum, int *activep, const char *user,
@@ -1173,6 +1177,15 @@ parse_flag:
1173 channel_add_adm_permitted_opens(p, port); 1177 channel_add_adm_permitted_opens(p, port);
1174 break; 1178 break;
1175 1179
1180 case sForceCommand:
1181 if (cp == NULL)
1182 fatal("%.200s line %d: Missing argument.", filename,
1183 linenum);
1184 len = strspn(cp, WHITESPACE);
1185 if (*activep && options->adm_forced_command == NULL)
1186 options->adm_forced_command = xstrdup(cp + len);
1187 return 0;
1188
1176 case sDeprecated: 1189 case sDeprecated:
1177 logit("%s line %d: Deprecated option %s", 1190 logit("%s line %d: Deprecated option %s",
1178 filename, linenum, arg); 1191 filename, linenum, arg);
@@ -1247,6 +1260,11 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src)
1247 dst->allow_tcp_forwarding = src->allow_tcp_forwarding; 1260 dst->allow_tcp_forwarding = src->allow_tcp_forwarding;
1248 if (src->gateway_ports != -1) 1261 if (src->gateway_ports != -1)
1249 dst->gateway_ports = src->gateway_ports; 1262 dst->gateway_ports = src->gateway_ports;
1263 if (src->adm_forced_command != NULL) {
1264 if (dst->adm_forced_command != NULL)
1265 xfree(dst->adm_forced_command);
1266 dst->adm_forced_command = src->adm_forced_command;
1267 }
1250 if (src->x11_display_offset != -1) 1268 if (src->x11_display_offset != -1)
1251 dst->x11_display_offset = src->x11_display_offset; 1269 dst->x11_display_offset = src->x11_display_offset;
1252 if (src->x11_forwarding != -1) 1270 if (src->x11_forwarding != -1)
diff --git a/servconf.h b/servconf.h
index a74716e6f..41dce7686 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: servconf.h,v 1.75 2006/07/12 11:34:58 dtucker Exp $ */ 1/* $OpenBSD: servconf.h,v 1.76 2006/07/19 13:07:10 dtucker Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -135,6 +135,8 @@ typedef struct {
135 char *authorized_keys_file; /* File containing public keys */ 135 char *authorized_keys_file; /* File containing public keys */
136 char *authorized_keys_file2; 136 char *authorized_keys_file2;
137 137
138 char *adm_forced_command;
139
138 int use_pam; /* Enable auth via PAM */ 140 int use_pam; /* Enable auth via PAM */
139 141
140 int permit_tun; 142 int permit_tun;
diff --git a/session.c b/session.c
index 5441a4762..e189acdf2 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: session.c,v 1.209 2006/07/11 20:07:25 stevesk Exp $ */ 1/* $OpenBSD: session.c,v 1.210 2006/07/19 13:07:10 dtucker Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -672,10 +672,14 @@ do_pre_login(Session *s)
672void 672void
673do_exec(Session *s, const char *command) 673do_exec(Session *s, const char *command)
674{ 674{
675 if (forced_command) { 675 if (options.adm_forced_command) {
676 original_command = command;
677 command = options.adm_forced_command;
678 debug("Forced command (config) '%.900s'", command);
679 } else if (forced_command) {
676 original_command = command; 680 original_command = command;
677 command = forced_command; 681 command = forced_command;
678 debug("Forced command '%.900s'", command); 682 debug("Forced command (key option) '%.900s'", command);
679 } 683 }
680 684
681#ifdef SSH_AUDIT_EVENTS 685#ifdef SSH_AUDIT_EVENTS
diff --git a/sshd.8 b/sshd.8
index 48be5a760..778ea906b 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd.8,v 1.232 2006/07/10 16:04:21 jmc Exp $ 37.\" $OpenBSD: sshd.8,v 1.233 2006/07/19 13:07:10 dtucker Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSHD 8 39.Dt SSHD 8
40.Os 40.Os
@@ -481,6 +481,9 @@ to restrict certain public keys to perform just a specific operation.
481An example might be a key that permits remote backups but nothing else. 481An example might be a key that permits remote backups but nothing else.
482Note that the client may specify TCP and/or X11 482Note that the client may specify TCP and/or X11
483forwarding unless they are explicitly prohibited. 483forwarding unless they are explicitly prohibited.
484The command originally supplied by the client is available in the
485.Ev SSH_ORIGINAL_COMMAND
486environment variable.
484Note that this option applies to shell, command or subsystem execution. 487Note that this option applies to shell, command or subsystem execution.
485.It Cm environment="NAME=value" 488.It Cm environment="NAME=value"
486Specifies that the string is to be added to the environment when 489Specifies that the string is to be added to the environment when
diff --git a/sshd_config b/sshd_config
index 57f9a17bb..6a3cad886 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
1# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ 1# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $
2 2
3# This is the sshd server system-wide configuration file. See 3# This is the sshd server system-wide configuration file. See
4# sshd_config(5) for more information. 4# sshd_config(5) for more information.
@@ -104,3 +104,9 @@
104 104
105# override default of no subsystems 105# override default of no subsystems
106Subsystem sftp /usr/libexec/sftp-server 106Subsystem sftp /usr/libexec/sftp-server
107
108# Example of overriding settings on a per-user basis
109#Match User anoncvs
110# X11Forwarding no
111# AllowTcpForwarding no
112# ForceCommand cvs server
diff --git a/sshd_config.5 b/sshd_config.5
index 9196b761e..26c895f7a 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd_config.5,v 1.66 2006/07/19 08:56:41 dtucker Exp $ 37.\" $OpenBSD: sshd_config.5,v 1.67 2006/07/19 13:07:10 dtucker Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSHD_CONFIG 5 39.Dt SSHD_CONFIG 5
40.Os 40.Os
@@ -283,6 +283,18 @@ See
283in 283in
284.Xr ssh_config 5 284.Xr ssh_config 5
285for more information on patterns. 285for more information on patterns.
286.It Cm ForceCommand
287Forces the execution of the command specified by
288.Cm ForceCommand ,
289ignoring any command supplied by the client.
290The command is invoked by using the user's login shell with the -c option.
291This applies to shell, command, or subsystem execution.
292It is most useful inside a
293.Cm Match
294block.
295The command originally supplied by the client is available in the
296.Ev SSH_ORIGINAL_COMMAND
297environment variable.
286.It Cm GatewayPorts 298.It Cm GatewayPorts
287Specifies whether remote hosts are allowed to connect to ports 299Specifies whether remote hosts are allowed to connect to ports
288forwarded for the client. 300forwarded for the client.
@@ -484,6 +496,7 @@ Only a subset of keywords may be used on the lines following a
484keyword. 496keyword.
485Available keywords are 497Available keywords are
486.Cm AllowTcpForwarding , 498.Cm AllowTcpForwarding ,
499.Cm ForceCommand ,
487.Cm GatewayPorts , 500.Cm GatewayPorts ,
488.Cm PermitOpen , 501.Cm PermitOpen ,
489.Cm X11DisplayOffset , 502.Cm X11DisplayOffset ,
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-29 16:27:09 +0000