From owner-freebsd-questions@FreeBSD.ORG  Sat Jun 26 22:31:30 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7B84716A4CE
	for <freebsd-questions@freebsd.org>;
	Sat, 26 Jun 2004 22:31:30 +0000 (GMT)
Received: from outfbmx007.isp.belgacom.be (outfbmx007.isp.belgacom.be
	[195.238.3.104])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1487643D2F
	for <freebsd-questions@freebsd.org>;
	Sat, 26 Jun 2004 22:31:29 +0000 (GMT)
	(envelope-from geert@lori.mine.nu)
Received: from outmx014.isp.belgacom.be (outmx014.isp.belgacom.be
	[195.238.2.69])
	(8.12.11/8.12.11/Skynet-OUT-FALLBACK-2.22) with ESMTP id
	i5QMDhmG028488        for <freebsd-questions@freebsd.org>;
	Sun, 27 Jun 2004 00:13:43 +0200
	(envelope-from <geert@lori.mine.nu>)
Received: from outmx014.isp.belgacom.be (localhost [127.0.0.1])
	with ESMTP id i5QMDOZV015059
	for <freebsd-questions@freebsd.org>; Sun, 27 Jun 2004 00:13:24 +0200
	(envelope-from <geert@lori.mine.nu>)
Received: from lori.mine.nu (111-26.244.81.adsl.skynet.be [81.244.26.111])
	with ESMTP id i5QMDMEv015047;	Sun, 27 Jun 2004 00:13:22 +0200
	(envelope-from <geert@lori.mine.nu>)
Received: by lori.mine.nu (Postfix, from userid 1000)
	id AE480715; Sun, 27 Jun 2004 00:13:20 +0200 (CEST)
Date: Sun, 27 Jun 2004 00:13:20 +0200
From: Geert Hendrickx <geert.hendrickx@ua.ac.be>
To: Rob <stopspam@users.sourceforge.net>
Message-ID: <20040626221320.GA6187@lori.mine.nu>
References: <40DBCA04.30203@users.sourceforge.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <40DBCA04.30203@users.sourceforge.net>
User-Agent: Mutt/1.4.2i
X-GPG-Key: http://www.win.ua.ac.be/~s005085/gnupgkey.txt
X-GPG-Key-ID: 1024D/766C1E92
X-Accept-Language: nl,en
cc: freebsd-questions@freebsd.org
Subject: Re: Configure ssh to behave like rsh. How?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Jun 2004 22:31:30 -0000

On Fri, Jun 25, 2004 at 03:45:24PM +0900, Rob wrote:
> 
> Hi,
> 
> I have a cluster of PCs, on which the 'slaves' used to only allow rsh
> connections, to execute commands, but no logins.
> 
> I have removed the r-commands, and want to use the ssh command family
> instead. Although 'ssh slaveN command' works fine, this also allows login
> to the slave PC, simply by typing 'ssh slaveN'.
> 
> How can I configure sshd, so that it will allow remote command execution,
> but will refuse logins?
> 
> Thanks,
> Rob.

I'd say you could give the users no shell (if they shouldn't have shell
access to the machine in any other way), by setting their default shell
to /sbin/nologin.  You can do that with the chsh(1) command.  

Then again, they may still be able to start a shell with 
	'ssh <remote-machine> tcsh'
so maybe you should chmod /bin/sh and /bin/tcsh to 550.  

GH