On Fri, 2007-09-21 at 08:43 +0200, Rainer Peter Feller wrote: > On Thu, 2007-09-20 at 08:30 -0400, Greg Wooledge wrote: > > On Wed, Sep 19, 2007 at 09:39:56AM +0200, Rainer Peter Feller wrote: > > > On Tue, 2007-09-18 at 12:19 +0100, Martin Simovic wrote: > > > > is there a way to restrict commands passed to ssh (client) to override > > > > command line options > > > So I made a patch by myself, which I also update with every new release > > > For the Patch to openssh-4.7p1 see attachment > > > The name of the not overidable configfile is ssh_config_p > > > > What prevents people from bypassing this by using an unpatched client? > a careful setup > the user can write only on filesystems where files are not executable > AND all binaries have to be static, so you need > no /lib/ld-linux-2.so :-) >
Hi, thanks for a patch, works perfectly as expected. however, i still have a next problem: my setup is : chrooted environment (using libpam-chroot) where is supposed to reside only shell (statically compiled bash) and ssh client. i have recompiled ssh client (witch patch applied) statically using ./configure --with-ldflags=-static at configure time. the problem is that to make an ssh client work, (even compiled static witch all the libraries found using ldd /usr/bin/ssh) it still needs to load dynamic libs in order to get an UID and all the stuff needed for DNS resolving. so i end up witch: static bash, static ssh and etc/ld.so.cache lib/ld-linux.so.2 lib/tls/i686/cmov/libc.so.6 lib/tls/i686/cmov/libnsl.so.1 lib/tls/i686/cmov/libnss_compat.so.2 lib/tls/i686/cmov/libnss_dns.so.2 lib/tls/i686/cmov/libresolv.so.2 all just to make ssh client work. would there be a way how to get rid of all libraries? in my opinion a static compiled client makes no sense if there is still a need to load shared libraries? thanks a lot, martin.
