LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 07-03-2007, 05:00 AM   #1
rockysfr
LQ Newbie
 
Registered: May 2006
Distribution: Fedora Core 5
Posts: 6

Rep: Reputation: 0
User input disabled with scripts launched for .ssh/rc?


Greetings all,

Am needing some expert advice here, hope to get some help

I'm currently making use of the $HOME/.ssh/rc file to launch an automated shell script immediately after the user has been verified through ssh.

The current problem that I'm facing now is that I am unable to use the "read" command anymore... seems like the "read" statements are being bypassed as though as they were commands. This poses a huge issue, since I need to run several other scripts with heavy use of the "read" command as subshells.

Is there a way to work around this problem? Or is this part of some security feature in ssh that prevents one from accepting user inputs? I am currently interested in having the rc file launch certain groups of users (whose names can be found in a text file residing on the server) directly into another shell. Was thinking of a more automated approach, but seems like it'll be hard.



Thanks in advance.
 
Old 07-03-2007, 05:46 AM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
From the ssh manpage.
Code:
     ~/.ssh/rc
             Commands in this file are executed by ssh when the user logs in,
             just before the user's shell (or command) is started.  See the
             sshd(8) manual page for more information.
What kind of user input do you need?
Note the (or command) part. You can configure the user's client so that it runs a command instead of the shell. Use that instead of rc.

Quote:
am currently interested in having the rc file launch certain groups of users
I think you should use sshd_config "AllowGroups" or "AllowUsers" instead to control access.

Quote:
run several other scripts with heavy use of the "read" command
Quote:
Originally Posted by Learning the Bash Shell, O'Reilly
Actually, read is sort of an "escape hatch" from traditional shell programming philosophy, which dictates that the most important unit of data to process is a text file, and that UNIX utilities such as cut, grep, sort, etc., should be used as building blocks for writing programs.
Sorry, but this is one of my pet peeves. I see a lot of people posting sample bash programs reading in arguments instead of using the command arguments.

Last edited by jschiwal; 07-03-2007 at 06:00 AM.
 
Old 07-03-2007, 07:59 AM   #3
rockysfr
LQ Newbie
 
Registered: May 2006
Distribution: Fedora Core 5
Posts: 6

Original Poster
Rep: Reputation: 0
Thanks a bunch! Really useful expert advice you've got there...

Was originally intending to use .ssh/rc to limit what the user can do. My initial plan was to get ssh to launch into one of my script files immediately after verification to prevent the user from having the chance to hit the command prompt. Wonder if this can be achieved without using rc?

Will definitely take into consideration the user and groups access rights method which you recommended
 
Old 07-03-2007, 04:23 PM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
It sounds like you want to present the user with a menu of things they can do. Perhaps a shell program using the select/case commands which launches other scripts, based on the users selection. You could use the ForceCommand for that. It launches the users shell with the -c option to run a single command.

If these are users who are only ones allowed to use ssh, and don't have full normal accounts on the server (no home directories), you can change their default shells in /etc/passwd to /bin/rbash. You could create a home directory and use the same home directory for all of these ssh users. Let's say it is /home/sshusers/. That directory could be in multiple home directory entries in /etc/passwd. That gives you the option to create a /home/sshusers/.profile file which could further define the environment and options of the restricted shell.

I'm not certain from the manpages whether or how you could have per-user differences in the ssh server setting. If you want to be able to login remotely yourself, you wouldn't want the "ForceCommand" option. So a user entry like "/bin/rbash -c /home/sshusers/bin/script.sh" for just those users might work out best in this case. This would also allow you to create different groups of these remote users, by creating a home directory for each group, each with a custom ~/.profile script.

Also look through the bash info manual at traps. You might want to trap all errors to prevent a problem from dropping the user into the shell.

You could also run two sshd daemons. One for general use that you and other full access users would use and a second one for these users. Use different ports and either different config files (-f config-file option) or different -o options when they are launched.

Last edited by jschiwal; 07-03-2007 at 04:36 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Scripts with root privileges launched from a web browser unforkable Programming 6 03-15-2007 09:12 AM
no keyboard input in startup scripts lukebeales Linux - Software 1 12-06-2005 04:13 AM
$HTTP_POST_VARS doesn't accept disabled input fields xemous Programming 3 08-16-2005 05:49 AM
xinetd launched ssh port forwarding tommyr1216 Linux - Software 0 01-20-2005 07:53 PM
Disabled access to user accounts! HELP! Adeas Mandriva 2 09-07-2003 08:17 PM


All times are GMT -5. The time now is 12:14 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration