A question about ForceCommand

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
This is somewhat related to my other posting about sshfs but it's not
the same so I'm putting it in a different thread.

If I want only certain commands to work over an ssh connection I can
use ForceCommand.  However I'm not quite clear how it actually

I can understand how the Match section is used and so on but what does
one actually put after ForceCommand.  If one just puts a command name
with no parameters is the allowed user/host then able to use that
command with any parameters they specify?  E.g.  if I want to allow a
user only to be able to do backups using rdiff-backup (a quite likely
requirement in my case) can I just put:-

    Match userName
    ForceCommand rdiff-backup

at the end of the sshd_config file?  ... and the user would then be
able to used rdiff-backup with whatever parameters they require?

Note that rdiff-backup works somewhat like rsync, it requires that
rdiff-backup is installed at the remote (ssh server) end as well
as at the client end.

Chris Green

Re: A question about ForceCommand

On Dec 22, 12:12=A0pm, tinn...@isbd.co.uk wrote:
Quoted text here. Click to load it

Do take a look at the on-line examples for SSH and rsync, such as
http://troy.jdmz.net/rsync/index.html . Typically, those use a small
utility that verifies the arguments of the rsync command "safe", and
only then allows its arguments to be passed along to the real rsync

Re: A question about ForceCommand

Quoted text here. Click to load it

Well that's certainly one approach to doing this but it seems to work
around the way that ssh works rather than actually using it.

I don't really need to limit what can be done with rsync (or
rdiff-backup) I just want to be sure that only that command can be

Chris Green

Re: A question about ForceCommand

On Dec 22, 3:39=A0pm, tinn...@isbd.co.uk wrote:
Quoted text here. Click to load it

Right! Replace the word 'rsync' everywhere with 'rdiff-backups',
rename and edit the validation script for appropriate command line
arguments, and voila! You have at least a first pass at limiting SSH
enabled operations to running rdiff-backups. Since some of it is shell
script based, it's not completely secure, but it's a usable first stab
at the problem.

Site Timeline