From owner-freebsd-security Sat Mar 30 0: 6:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from prometheus.vh.laserfence.net (prometheus.laserfence.net [196.44.73.116]) by hub.freebsd.org (Postfix) with ESMTP id C359937B41E for ; Sat, 30 Mar 2002 00:06:19 -0800 (PST) Received: from phoenix.vh.laserfence.net ([192.168.0.10]) by prometheus.vh.laserfence.net with esmtp (Exim 3.34 #1) id 16rDre-0003Pm-00; Sat, 30 Mar 2002 10:05:30 +0200 Date: Sat, 30 Mar 2002 10:05:28 +0200 (SAST) From: Willie Viljoen X-X-Sender: will@phoenix.vh.laserfence.net To: Jason Stone Cc: Peter Leftwich , FreeBSD Security Subject: Re: using ssh to run remote commands? [ssh -T, scp/ssh flags] In-Reply-To: <20020329175559.V2704-100000@walter> Message-ID: <20020330095740.R508-100000@phoenix.vh.laserfence.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Just as a matter of interest, there is _one_ use for SSH where a valid shell on the remote host is not required. I use SSH to forward connections between an intranet server at home and my FreeBSD box at the office. This is very useful for the box at home, which has a static IP, but only an intermittant connection, to fetch my mail from the FreeBSD box, and to use the FreeBSD box as a proxy cache, without port 3128 having to be open, and with the added bonus of encryption, which gets abit more out of my tiny 56kbps connection here. To do this, the user on the remote machine need not have a shell, either /sbin/nologin or /bin/false will do the trick, depending on your preference. On the local side, create a .ssh/config file for the user as which you want to run the portforward, include options for batch mode and all that.. your file should look somewhat like this: Host apollo.laserfence.net BatchMode yes IdentityFile ~/.ssh/portfw-id-dsa Compression yes Ciphers aes256-cbc MACs hmac-sha1 LocalForward 9110:localhost:110 The portfw-id-dsa DSA key is a special one I created for this perpose only, it's a 2048-bit key with no passphrase, such that the machine can use it without supervision. DO NOT use this key for anything else, and never copy it to other machines, or any machine that is not directly under your controle and ONLY your controle. The rest of the file should be fairly self explanitory. After this is set up, have a startup script or some automata run a command similar to this when your connection comes up: ssh -f apollo.laserfence.net -N This specifies that SSH should fork to the background and take on daemonish characteristics, the -N switch specifies that SSH should _NOT_ start a shell on the remote host, nor run any commands. This basically starts up a connection and nothing else to the remote machine. Very handy for port forwarding if you don't want to establish the tunnel manually. Will On Fri, 29 Mar 2002, Jason Stone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > > > I'd like to know how to run remote commands using ssh. I know I > > > > can do it as myself, but I'd like to know how can I set up my > > > > systems to allow non-login users (root, operator, amanda) to run > > > > remote commands on other hosts. > > > > You can't - ssh will always try to run a command by calling the > > > user's shell, so unless you patch it, you _must_ give the user a > > > valid shell. > > > I thought there was some way to run "ssh -T user@host" to bypass your > > shell, no? > > Yes, you can have ssh run a command instead of an interactive shell by > specifying it on the commandline, but that command is _always_ run as > "$SHELL -c command", whether or not you force allocation (or lack thereof) > of a tty. > > Look at session.c in the openssh distribution - note that both > do_exec_pty() and do_exec_no_pty() both call do_child() to actually > run your command and do_child() runs your command with: > > /* > * Execute the command using the user's shell. This uses the -c > * option to execute the command. > */ > argv[0] = (char *) cp; > argv[1] = "-c"; > argv[2] = (char *) command; > argv[3] = NULL; > execve(shell, argv, env); > > > > Why are the man page and options for the command "scp" so LIMITED compared > > to those of "ssh?" > > scp is supposed to be mostly dropin compatible with rcp, so the openssh > guys don't like to add options to it. The way to specify options for scp > is with -o and long ssh options - eg: > > scp -o Protocol=2 -o BatchMode=yes file remotehost:/path/ > > > -Jason > > ----------------------------------------------------------------------- > I worry about my child and the Internet all the time, even though she's > too young to have logged on yet. Here's what I worry about. I worry > that 10 or 15 years from now, she will come to me and say "Daddy, where > were you when they took freedom of the press away from the Internet?" > -- Mike Godwin > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: See https://private.idealab.com/public/jason/jason.gpg > > iD8DBQE8pSV/swXMWWtptckRAu5XAKDcoqWjYwJ9ZA/8VZknzRcswiNInwCeJkof > Pu4+nXtlDtXSn4UKOe5nmqM= > =yq8q > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > -- Willie Viljoen Private IT Consultant 214 Paul Kruger Avenue Universitas Bloemfontein 9321 South Africa +27 51 522 15 60, a/h +27 51 522 44 36 +27 82 404 03 27 will@laserfence.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message