SSH ForceCommand
I am in the process of migrating from a Centos 5 to Centos 6 server. I have duo two factor authentication working on my original server via the ForceCommand parameter in my sshd_config file. SSH login prompts for password and immediately pushed duo authentication to phone.
On my new server, it appears the .bashrc file is executed before ForceCommand, as I migrated my .bashrc from original server to new server. This was not the case previously. How do I force the ForceCommand to run before any profile dependent .bashrc's? Thank you. |
Quote:
Code:
]$ wget http://ftp.redhat.com/redhat/linux/enterprise/6Server/en/os/SRPMS/bash-4.1.2-29.el6.src.rpm Quote:
0) set the users shell to Something Completely Different that has no profile customizations (and use an alias or function to switch over to BASH), 1) recompile BASH and don't define SSH_SOURCE_BASHRC (which causes problems for your systems as this is now expected behaviour plus you'll spend more time maintaining as you have to recompile BASH each time its released) or 2) avoid sourcing profile-dependent stuff when running non-interactive ('bash -c') shell: see "INVOCATION" chapter in 'man bash' on what you need to do. *I learned to avoid customizing ~/.bash* stuff long time ago and on login I manually source aliases from a non-~/.bash* file name. What may look like an extra step to some means more control to me... |
Quote:
I appreciate you taking the time to investigate, I probably would have driven myself to some degree of insanity trying to resolve. At the end of the day, it sounds as though the ForceCommand may no longer be the best method to utilize Duo, will most likely switch to the pam module implementation. It seems as though changing the ForceCommand implementation between releases creates somewhat of an exploitable hole, as any user with authority to modify his .bashrc file can run a custom command preceding the one specified in the ForceCommand parameter. |
Quote:
|
Quote:
|
Quote:
|
All times are GMT -5. The time now is 03:14 AM. |