From owner-freebsd-security Fri Mar 29 18:40:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 909AF37B400 for ; Fri, 29 Mar 2002 18:40:05 -0800 (PST) Received: (qmail 22541 invoked by uid 1000); 30 Mar 2002 02:39:59 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 30 Mar 2002 02:39:59 -0000 Date: Fri, 29 Mar 2002 18:39:56 -0800 (PST) From: Jason Stone X-X-Sender: To: Peter Leftwich Cc: FreeBSD Security Subject: Re: using ssh to run remote commands? [ssh -T, scp/ssh flags] In-Reply-To: <20020329204245.N81735-100000@earl-grey.cloud9.net> Message-ID: <20020329175559.V2704-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > > I'd like to know how to run remote commands using ssh. I know I > > > can do it as myself, but I'd like to know how can I set up my > > > systems to allow non-login users (root, operator, amanda) to run > > > remote commands on other hosts. > > You can't - ssh will always try to run a command by calling the > > user's shell, so unless you patch it, you _must_ give the user a > > valid shell. > I thought there was some way to run "ssh -T user@host" to bypass your > shell, no? Yes, you can have ssh run a command instead of an interactive shell by specifying it on the commandline, but that command is _always_ run as "$SHELL -c command", whether or not you force allocation (or lack thereof) of a tty. Look at session.c in the openssh distribution - note that both do_exec_pty() and do_exec_no_pty() both call do_child() to actually run your command and do_child() runs your command with: /* * Execute the command using the user's shell. This uses the -c * option to execute the command. */ argv[0] = (char *) cp; argv[1] = "-c"; argv[2] = (char *) command; argv[3] = NULL; execve(shell, argv, env); > Why are the man page and options for the command "scp" so LIMITED compared > to those of "ssh?" scp is supposed to be mostly dropin compatible with rcp, so the openssh guys don't like to add options to it. The way to specify options for scp is with -o and long ssh options - eg: scp -o Protocol=2 -o BatchMode=yes file remotehost:/path/ -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8pSV/swXMWWtptckRAu5XAKDcoqWjYwJ9ZA/8VZknzRcswiNInwCeJkof Pu4+nXtlDtXSn4UKOe5nmqM= =yq8q -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message