3 files changed, 14 insertions, 7 deletions

diff --git a/ChangeLog b/ChangeLog
index 876055383..993fe76c1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -33,6 +33,10 @@
      works now that kernel fd passing has been fixed to accept a bit of
      sloppiness because of this ABI repair.
      lots of discussion with kettenis
+   - djm@cvs.openbsd.org 2008/03/25 11:58:02
+     [session.c sshd_config.5]
+     ignore ~/.ssh/rc if a sshd_config ForceCommand is specified;
+     from dtucker@ ok deraadt@ djm@
 
 20080315
  - (djm) [regress/test-exec.sh] Quote putty-related variables in case they are
@@ -3801,4 +3805,4 @@
    OpenServer 6 and add osr5bigcrypt support so when someone migrates
    passwords between UnixWare and OpenServer they will still work. OK dtucker@
 
-$Id: ChangeLog,v 1.4886 2008/03/27 00:01:15 djm Exp $
+$Id: ChangeLog,v 1.4887 2008/03/27 00:02:02 djm Exp $
diff --git a/session.c b/session.c
index 54621a4c0..3dcf222f5 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.230 2008/02/22 05:58:56 djm Exp $ */
+/* $OpenBSD: session.c,v 1.231 2008/03/25 11:58:02 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -1202,8 +1202,9 @@ do_rc_files(Session *s, const char *shell)
         do_xauth =
             s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
 
-        /* ignore _PATH_SSH_USER_RC for subsystems */
-        if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
+        /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
+        if (!s->is_subsystem && options.adm_forced_command != NULL &&
+            (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
                 snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
                     shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
                 if (debug_flag)
diff --git a/sshd_config.5 b/sshd_config.5
index a2f193470..245ed946f 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.83 2008/02/11 07:58:28 jmc Exp $
-.Dd $Mdocdate: February 11 2008 $
+.\" $OpenBSD: sshd_config.5,v 1.84 2008/03/25 11:58:02 djm Exp $
+.Dd $Mdocdate: March 25 2008 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -324,7 +324,9 @@ for more information on patterns.
 .It Cm ForceCommand
 Forces the execution of the command specified by
 .Cm ForceCommand ,
-ignoring any command supplied by the client.
+ignoring any command supplied by the client and
+.Pa ~/.ssh/rc
+if present.
 The command is invoked by using the user's login shell with the -c option.
 This applies to shell, command, or subsystem execution.
 It is most useful inside a