- djm@cvs.openbsd.org 2008/03/25 11:58:02

     [session.c sshd_config.5]
     ignore ~/.ssh/rc if a sshd_config ForceCommand is specified;
     from dtucker@ ok deraadt@ djm@

diff --git a/ChangeLog b/ChangeLog
index c3ec735281ab27de914e524190bf00e897a55b06..188dbf9f973263b2d8d8e5ef520b8229769d732a 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -33,6 +33,10 @@
      works now that kernel fd passing has been fixed to accept a bit of
      sloppiness because of this ABI repair.
      lots of discussion with kettenis
      works now that kernel fd passing has been fixed to accept a bit of
      sloppiness because of this ABI repair.
      lots of discussion with kettenis

+   - djm@cvs.openbsd.org 2008/03/25 11:58:02
+     [session.c sshd_config.5]
+     ignore ~/.ssh/rc if a sshd_config ForceCommand is specified;
+     from dtucker@ ok deraadt@ djm@

 
 20080315
  - (djm) [regress/test-exec.sh] Quote putty-related variables in case they are
 
 20080315
  - (djm) [regress/test-exec.sh] Quote putty-related variables in case they are

diff --git a/session.c b/session.c
index 54621a4c046f06c0756e3847a5390d7a20911cb8..3dcf222f59d27543bd480d4b7914948c2bf53529 100644 (file)
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.230 2008/02/22 05:58:56 djm Exp $ */
+/* $OpenBSD: session.c,v 1.231 2008/03/25 11:58:02 djm Exp $ */

 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved


@@ -1202,8 +1202,9 @@ do_rc_files(Session *s, const char *shell)
        do_xauth =
            s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
 
        do_xauth =
            s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
 

-       /* ignore _PATH_SSH_USER_RC for subsystems */
-       if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
+       /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
+       if (!s->is_subsystem && options.adm_forced_command != NULL &&
+           (stat(_PATH_SSH_USER_RC, &st) >= 0)) {

                snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
                    shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
                if (debug_flag)
                snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
                    shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
                if (debug_flag)

diff --git a/sshd_config.5 b/sshd_config.5
index 04bee73d31fe73711863e6836d3af423c1d32b97..be0234143f0e7d4e1a65e6a9e21629207eefea85 100644 (file)
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"

-.\" $OpenBSD: sshd_config.5,v 1.83 2008/02/11 07:58:28 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.84 2008/03/25 11:58:02 djm Exp $

 .Dd $Mdocdate$
 .Dt SSHD_CONFIG 5
 .Os
 .Dd $Mdocdate$
 .Dt SSHD_CONFIG 5
 .Os


@@ -324,7 +324,9 @@ for more information on patterns.
 .It Cm ForceCommand
 Forces the execution of the command specified by
 .Cm ForceCommand ,
 .It Cm ForceCommand
 Forces the execution of the command specified by
 .Cm ForceCommand ,

-ignoring any command supplied by the client.
+ignoring any command supplied by the client and
+.Pa ~/.ssh/rc
+if present.

 The command is invoked by using the user's login shell with the -c option.
 This applies to shell, command, or subsystem execution.
 It is most useful inside a
 The command is invoked by using the user's login shell with the -c option.
 This applies to shell, command, or subsystem execution.
 It is most useful inside a