Originally posted by: tuccero

Hello,

I have an AIX6.1 server and i recently received a report by security department that it is possible to bypass user's .profile through putty.

Basically on SSH tab on putty you can type in "remote command" cell the shell you want to load and in this way you can connect bypassing your .profile.

I solved this issue for bash shell by simply creating file ".bashrc" on user's home directory and inside this file i have the following command:

exec ~/.profile

However, i cannot find a way to do the same on ksh shell and force users to read .profile when they connect. If i type

ksh

on "remote command" cell i can connect to server without executing .profile.

Do you know a way to achieve this?

Thank you in advance

Originally posted by: AncientAIXer

Loading .profile only occurs when a login shell is started.  ssh allows commands to run without opening a shell.  But there may be ways of doing what you are wanting to do.  Also, ssh is flexible enough that no matter what you do on the server end, a user might be able to circumvent it with the client options.  I have not personally tried these, but there are several sshd configurations/options you might look into.

1) The use of /etc/ssh/sshrc:

        Similar to ~/.ssh/rc, it can be used to specify machine-specific
        login-time initializations globally.  This file should be
        writable only by root, and should be world-readable.

If you put the sourcing of .profile in this file, the user can still manipulate his/her .profile to circumvent some settings.  For more security, the options should be set in the file.

2) Use of the ForceCommand option:

        Forces the execution of the command specified by ForceCommand,
        ignoring any command supplied by the client and ~/.ssh/rc if
        present.  The command is invoked by using the user's login shell
        with the -c option.  This applies to shell, command, or subsystem
        execution.  It is most useful inside a Match block.  The command
        originally supplied by the client is available in the
        SSH_ORIGINAL_COMMAND environment variable.  Specifying a command
        of internal-sftp will force the use of an in-process SFTP server
        that requires no support files when used with ChrootDirectory.
        The default is none.
This might not allow a "remote command" and only allow interactive shells, or it may only allow the command specified to be executed.  You'll have to try it to find out. I have run across references to a SSH_ORIGINAL_COMMAND variable in connection to this option and making a wrapper script, so you might want to research that as well.

Originally posted by: tuccero

Thank you very much for your answer.

I already tested that today and i found that the ForceCommand option is more suitable to my needs.

Here are the 2 tests i did on my server:

1) $HOME/.ssh/rc --> i created directory .ssh on a user home directory and then file "rc" to call the user's .profile. It is working as expected but due to some variables that i export on a user's profile it wasnt the best solution for me. Also if i chose this option it would mean that i have to create this directory and file on every user home directory and having in mind as well that they need to be created when a new user is created.

2) /etc/ssh/sshd_config --> i use ForceCommand option to match specific user groups that i want to force executing their .profile. the syntax is similar to the one below:

                                                 Match Group group1,group2,group3,!group4

                                                 ForceCommand ~/.profile

     In the example above i want to force .profile to be executed for users that belong to groups (group1,group2,group3). However, this does not only applies to the user's primary group but in user's groupset as well. For this reason i excluded group4 from matching pattern. Therefore if a user is a member of both group3 and group4 it will be excluded.