Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 30 Mar 2002 10:05:28 +0200 (SAST)
From:      Willie Viljoen <will@laserfence.net>
To:        Jason Stone <jason-fbsd-security@shalott.net>
Cc:        Peter Leftwich <Hostmaster@Video2Video.Com>, FreeBSD Security <freebsd-security@FreeBSD.ORG>
Subject:   Re: using ssh to run remote commands? [ssh -T, scp/ssh flags]
Message-ID:  <20020330095740.R508-100000@phoenix.vh.laserfence.net>
In-Reply-To: <20020329175559.V2704-100000@walter>

next in thread | previous in thread | raw e-mail | index | archive | help
Just as a matter of interest, there is _one_ use for SSH where a valid
shell on the remote host is not required.

I use SSH to forward connections between an intranet server at home and my
FreeBSD box at the office.

This is very useful for the box at home, which has a static IP, but only
an intermittant connection, to fetch my mail from the FreeBSD box, and to
use the FreeBSD box as a proxy cache, without port 3128 having to be open,
and with the added bonus of encryption, which gets abit more out of my
tiny 56kbps connection here.

To do this, the user on the remote machine need not have a shell, either
/sbin/nologin or /bin/false will do the trick, depending on your
preference.

On the local side, create a .ssh/config file for the user as which you
want to run the portforward, include options for batch mode and all that..
your file should look somewhat like this:

	Host apollo.laserfence.net
		BatchMode yes
		IdentityFile ~/.ssh/portfw-id-dsa
		Compression yes
		Ciphers aes256-cbc
		MACs hmac-sha1
		LocalForward 9110:localhost:110

The portfw-id-dsa DSA key is a special one I created for this perpose
only, it's a 2048-bit key with no passphrase, such that the machine can
use it without supervision. DO NOT use this key for anything else, and
never copy it to other machines, or any machine that is not directly under
your controle and ONLY your controle.

The rest of the file should be fairly self explanitory.

After this is set up, have a startup script or some automata run a
command similar to this when your connection comes up:

	ssh -f apollo.laserfence.net -N

This specifies that SSH should fork to the background and take on
daemonish characteristics, the -N switch specifies that SSH should _NOT_
start a shell on the remote host, nor run any commands. This basically
starts up a connection and nothing else to the remote machine. Very handy
for port forwarding if you don't want to establish the tunnel manually.

Will

On Fri, 29 Mar 2002, Jason Stone wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> > > > I'd like to know how to run remote commands using ssh. I know I
> > > > can do it as myself, but I'd like to know how can I set up my
> > > > systems to allow non-login users (root, operator, amanda) to run
> > > > remote commands on other hosts.
>
> > > You can't - ssh will always try to run a command by calling the
> > > user's shell, so unless you patch it, you _must_ give the user a
> > > valid shell.
>
> > I thought there was some way to run "ssh -T user@host" to bypass your
> > shell, no?
>
> Yes, you can have ssh run a command instead of an interactive shell by
> specifying it on the commandline, but that command is _always_ run as
> "$SHELL -c command", whether or not you force allocation (or lack thereof)
> of a tty.
>
> Look at session.c in the openssh distribution - note that both
> do_exec_pty() and do_exec_no_pty() both call do_child() to actually
> run your command and do_child() runs your command with:
>
>         /*
>          * Execute the command using the user's shell.  This uses the -c
>          * option to execute the command.
>          */
>         argv[0] = (char *) cp;
>         argv[1] = "-c";
>         argv[2] = (char *) command;
>         argv[3] = NULL;
>         execve(shell, argv, env);
>
>
> > Why are the man page and options for the command "scp" so LIMITED compared
> > to those of "ssh?"
>
> scp is supposed to be mostly dropin compatible with rcp, so the openssh
> guys don't like to add options to it.  The way to specify options for scp
> is with -o and long ssh options - eg:
>
> scp -o Protocol=2 -o BatchMode=yes file remotehost:/path/
>
>
>  -Jason
>
>  -----------------------------------------------------------------------
>  I worry about my child and the Internet all the time, even though she's
>  too young to have logged on yet.  Here's what I worry about.  I worry
>  that 10 or 15 years from now, she will come to me and say "Daddy, where
>  were you when they took freedom of the press away from the Internet?"
> 	-- Mike Godwin
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (FreeBSD)
> Comment: See https://private.idealab.com/public/jason/jason.gpg
>
> iD8DBQE8pSV/swXMWWtptckRAu5XAKDcoqWjYwJ9ZA/8VZknzRcswiNInwCeJkof
> Pu4+nXtlDtXSn4UKOe5nmqM=
> =yq8q
> -----END PGP SIGNATURE-----
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
>
>

-- 
Willie Viljoen
Private IT Consultant

214 Paul Kruger Avenue
Universitas
Bloemfontein
9321

South Africa

+27 51 522 15 60, a/h +27 51 522 44 36
+27 82 404 03 27

will@laserfence.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020330095740.R508-100000>