- dtucker@cvs.openbsd.org 2006/07/19 13:07:10
[servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5] Add ForceCommand keyword to sshd_config, equivalent to the "command=" key option, man page entry and example in sshd_config. Feedback & ok djm@, man page corrections & ok jmc@
This commit is contained in:
parent
d1de9950e5
commit
e275443f66
|
@ -56,6 +56,11 @@
|
|||
[servconf.c sshd_config.5]
|
||||
Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to
|
||||
Match. ok djm@
|
||||
- dtucker@cvs.openbsd.org 2006/07/19 13:07:10
|
||||
[servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5]
|
||||
Add ForceCommand keyword to sshd_config, equivalent to the "command="
|
||||
key option, man page entry and example in sshd_config.
|
||||
Feedback & ok djm@, man page corrections & ok jmc@
|
||||
|
||||
20060713
|
||||
- (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h
|
||||
|
@ -4974,4 +4979,4 @@
|
|||
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
|
||||
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
|
||||
|
||||
$Id: ChangeLog,v 1.4421 2006/07/24 04:05:48 djm Exp $
|
||||
$Id: ChangeLog,v 1.4422 2006/07/24 04:06:47 djm Exp $
|
||||
|
|
22
servconf.c
22
servconf.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: servconf.c,v 1.157 2006/07/19 08:56:41 dtucker Exp $ */
|
||||
/* $OpenBSD: servconf.c,v 1.158 2006/07/19 13:07:10 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
|
@ -113,6 +113,7 @@ initialize_server_options(ServerOptions *options)
|
|||
options->authorized_keys_file2 = NULL;
|
||||
options->num_accept_env = 0;
|
||||
options->permit_tun = -1;
|
||||
options->adm_forced_command = NULL;
|
||||
}
|
||||
|
||||
void
|
||||
|
@ -282,7 +283,7 @@ typedef enum {
|
|||
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
|
||||
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
||||
sMatch, sPermitOpen,
|
||||
sMatch, sPermitOpen, sForceCommand,
|
||||
sUsePrivilegeSeparation,
|
||||
sDeprecated, sUnsupported
|
||||
} ServerOpCodes;
|
||||
|
@ -393,6 +394,7 @@ static struct {
|
|||
{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
|
||||
{ "match", sMatch, SSHCFG_ALL },
|
||||
{ "permitopen", sPermitOpen, SSHCFG_ALL },
|
||||
{ "forcecommand", sForceCommand, SSHCFG_ALL },
|
||||
{ NULL, sBadOption, 0 }
|
||||
};
|
||||
|
||||
|
@ -551,6 +553,8 @@ match_cfg_line(char **condition, int line, const char *user, const char *host,
|
|||
return result;
|
||||
}
|
||||
|
||||
#define WHITESPACE " \t\r\n"
|
||||
|
||||
int
|
||||
process_server_config_line(ServerOptions *options, char *line,
|
||||
const char *filename, int linenum, int *activep, const char *user,
|
||||
|
@ -1173,6 +1177,15 @@ parse_flag:
|
|||
channel_add_adm_permitted_opens(p, port);
|
||||
break;
|
||||
|
||||
case sForceCommand:
|
||||
if (cp == NULL)
|
||||
fatal("%.200s line %d: Missing argument.", filename,
|
||||
linenum);
|
||||
len = strspn(cp, WHITESPACE);
|
||||
if (*activep && options->adm_forced_command == NULL)
|
||||
options->adm_forced_command = xstrdup(cp + len);
|
||||
return 0;
|
||||
|
||||
case sDeprecated:
|
||||
logit("%s line %d: Deprecated option %s",
|
||||
filename, linenum, arg);
|
||||
|
@ -1247,6 +1260,11 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src)
|
|||
dst->allow_tcp_forwarding = src->allow_tcp_forwarding;
|
||||
if (src->gateway_ports != -1)
|
||||
dst->gateway_ports = src->gateway_ports;
|
||||
if (src->adm_forced_command != NULL) {
|
||||
if (dst->adm_forced_command != NULL)
|
||||
xfree(dst->adm_forced_command);
|
||||
dst->adm_forced_command = src->adm_forced_command;
|
||||
}
|
||||
if (src->x11_display_offset != -1)
|
||||
dst->x11_display_offset = src->x11_display_offset;
|
||||
if (src->x11_forwarding != -1)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: servconf.h,v 1.75 2006/07/12 11:34:58 dtucker Exp $ */
|
||||
/* $OpenBSD: servconf.h,v 1.76 2006/07/19 13:07:10 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -135,6 +135,8 @@ typedef struct {
|
|||
char *authorized_keys_file; /* File containing public keys */
|
||||
char *authorized_keys_file2;
|
||||
|
||||
char *adm_forced_command;
|
||||
|
||||
int use_pam; /* Enable auth via PAM */
|
||||
|
||||
int permit_tun;
|
||||
|
|
10
session.c
10
session.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: session.c,v 1.209 2006/07/11 20:07:25 stevesk Exp $ */
|
||||
/* $OpenBSD: session.c,v 1.210 2006/07/19 13:07:10 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
|
@ -672,10 +672,14 @@ do_pre_login(Session *s)
|
|||
void
|
||||
do_exec(Session *s, const char *command)
|
||||
{
|
||||
if (forced_command) {
|
||||
if (options.adm_forced_command) {
|
||||
original_command = command;
|
||||
command = options.adm_forced_command;
|
||||
debug("Forced command (config) '%.900s'", command);
|
||||
} else if (forced_command) {
|
||||
original_command = command;
|
||||
command = forced_command;
|
||||
debug("Forced command '%.900s'", command);
|
||||
debug("Forced command (key option) '%.900s'", command);
|
||||
}
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
|
|
5
sshd.8
5
sshd.8
|
@ -34,7 +34,7 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd.8,v 1.232 2006/07/10 16:04:21 jmc Exp $
|
||||
.\" $OpenBSD: sshd.8,v 1.233 2006/07/19 13:07:10 dtucker Exp $
|
||||
.Dd September 25, 1999
|
||||
.Dt SSHD 8
|
||||
.Os
|
||||
|
@ -481,6 +481,9 @@ to restrict certain public keys to perform just a specific operation.
|
|||
An example might be a key that permits remote backups but nothing else.
|
||||
Note that the client may specify TCP and/or X11
|
||||
forwarding unless they are explicitly prohibited.
|
||||
The command originally supplied by the client is available in the
|
||||
.Ev SSH_ORIGINAL_COMMAND
|
||||
environment variable.
|
||||
Note that this option applies to shell, command or subsystem execution.
|
||||
.It Cm environment="NAME=value"
|
||||
Specifies that the string is to be added to the environment when
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
|
||||
# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $
|
||||
|
||||
# This is the sshd server system-wide configuration file. See
|
||||
# sshd_config(5) for more information.
|
||||
|
@ -104,3 +104,9 @@
|
|||
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/libexec/sftp-server
|
||||
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
# X11Forwarding no
|
||||
# AllowTcpForwarding no
|
||||
# ForceCommand cvs server
|
||||
|
|
|
@ -34,7 +34,7 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.66 2006/07/19 08:56:41 dtucker Exp $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.67 2006/07/19 13:07:10 dtucker Exp $
|
||||
.Dd September 25, 1999
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
|
@ -283,6 +283,18 @@ See
|
|||
in
|
||||
.Xr ssh_config 5
|
||||
for more information on patterns.
|
||||
.It Cm ForceCommand
|
||||
Forces the execution of the command specified by
|
||||
.Cm ForceCommand ,
|
||||
ignoring any command supplied by the client.
|
||||
The command is invoked by using the user's login shell with the -c option.
|
||||
This applies to shell, command, or subsystem execution.
|
||||
It is most useful inside a
|
||||
.Cm Match
|
||||
block.
|
||||
The command originally supplied by the client is available in the
|
||||
.Ev SSH_ORIGINAL_COMMAND
|
||||
environment variable.
|
||||
.It Cm GatewayPorts
|
||||
Specifies whether remote hosts are allowed to connect to ports
|
||||
forwarded for the client.
|
||||
|
@ -484,6 +496,7 @@ Only a subset of keywords may be used on the lines following a
|
|||
keyword.
|
||||
Available keywords are
|
||||
.Cm AllowTcpForwarding ,
|
||||
.Cm ForceCommand ,
|
||||
.Cm GatewayPorts ,
|
||||
.Cm PermitOpen ,
|
||||
.Cm X11DisplayOffset ,
|
||||
|
|
Loading…
Reference in New Issue