Date: Fri, 29 Mar 2002 18:39:56 -0800 (PST) From: Jason Stone <jason-fbsd-security@shalott.net> To: Peter Leftwich <Hostmaster@Video2Video.Com> Cc: FreeBSD Security <freebsd-security@FreeBSD.ORG> Subject: Re: using ssh to run remote commands? [ssh -T, scp/ssh flags] Message-ID: <20020329175559.V2704-100000@walter> In-Reply-To: <20020329204245.N81735-100000@earl-grey.cloud9.net>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> > > I'd like to know how to run remote commands using ssh. I know I
> > > can do it as myself, but I'd like to know how can I set up my
> > > systems to allow non-login users (root, operator, amanda) to run
> > > remote commands on other hosts.
> > You can't - ssh will always try to run a command by calling the
> > user's shell, so unless you patch it, you _must_ give the user a
> > valid shell.
> I thought there was some way to run "ssh -T user@host" to bypass your
> shell, no?
Yes, you can have ssh run a command instead of an interactive shell by
specifying it on the commandline, but that command is _always_ run as
"$SHELL -c command", whether or not you force allocation (or lack thereof)
of a tty.
Look at session.c in the openssh distribution - note that both
do_exec_pty() and do_exec_no_pty() both call do_child() to actually
run your command and do_child() runs your command with:
/*
* Execute the command using the user's shell. This uses the -c
* option to execute the command.
*/
argv[0] = (char *) cp;
argv[1] = "-c";
argv[2] = (char *) command;
argv[3] = NULL;
execve(shell, argv, env);
> Why are the man page and options for the command "scp" so LIMITED compared
> to those of "ssh?"
scp is supposed to be mostly dropin compatible with rcp, so the openssh
guys don't like to add options to it. The way to specify options for scp
is with -o and long ssh options - eg:
scp -o Protocol=2 -o BatchMode=yes file remotehost:/path/
-Jason
-----------------------------------------------------------------------
I worry about my child and the Internet all the time, even though she's
too young to have logged on yet. Here's what I worry about. I worry
that 10 or 15 years from now, she will come to me and say "Daddy, where
were you when they took freedom of the press away from the Internet?"
-- Mike Godwin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg
iD8DBQE8pSV/swXMWWtptckRAu5XAKDcoqWjYwJ9ZA/8VZknzRcswiNInwCeJkof
Pu4+nXtlDtXSn4UKOe5nmqM=
=yq8q
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020329175559.V2704-100000>