On 5/4/07, Nicolas Williams <[EMAIL PROTECTED]> wrote:
On Fri, May 04, 2007 at 08:26:14PM +0200, [EMAIL PROTECTED] wrote: > > >Apparently the definition of login shell vs. interactive shell changed > >somewhere in the lineage of SUNWssh. A Solaris 9 box running > >113273-10 processed $HOME/.profile even when scp was being run. A > >Solaris 9 box running 113273-11 never processes $HOME/.profile unless > >an interactive session is used. The following CR seems to be > >related... > > I'm surprised it ran ~/.profile before.
Upon further review, I have tracked this down to the fact that in the past the particular users had .ssh/authorized_keys files that said something like: environment="ENV=.profile" ssh-rsa AAAAB3Nz ... This is how it was getting processed. With the latest ssh bits, "PermitUserEnvironment yes" is required in /etc/ssh/sshd_config.
And I see the same thing in S10/SNV. So, what gives?
You are right on this. Looks like I was barking up the wrong tree. The "bypass restricted shell path" problem continues to exist, particularly for rsh(1m) (/usr/lib/rsh, not rsh(1) /usr/bin/rsh). For rksh + ssh, the use of a controlled .ssh/environment that sets ENV appropriately seems to work as well. The one exception is that sftp has too long of a leash. <offtopic> As I was looking for PermitUserEnvironment references in the README for 113273-11 (there are none), I found this gem: Files included with this patch: /etc/init.d/sshd /etc/rc0.d/K03sshd /etc/rc1.d/K03sshd /etc/rc2.d/K03sshd /etc/rc3.d/S89sshd /etc/rcS.d/K03sshd /etc/ssh/moduli /etc/ssh/sshd_config /usr/lib/ssh/sftp-server /usr/lib/ssh/ssh-http-proxy-connect /usr/lib/ssh/ssh-keysign /usr/lib/ssh/ssh-socks5-proxy-connect /usr/lib/ssh/sshd <end of file list, snip> NOTE 1: Preform a reconfiguration boot, boot -r, after patch installation. Why is it that a reconfiguration reboot is required? Simply restarting sshd seems to be sufficient. Certainly there is no reason for a *reconfiguration* reboot. </offtopic> Mike -- Mike Gerdts http://mgerdts.blogspot.com/ _______________________________________________ networking-discuss mailing list [email protected]
