* Justin Wells said: > Marek, what's going on here is subtle so I should explain. You aren't > seeing the echoes from your startup file because bash isn't going [snip] > that it would go interactive since you specified (in one case) > that -t option giving it a TTY. Yes, now I get it. Thanks for the explanation - I have just tested it, it's exactly how you say it is... :( > What you really want to do to test this out is change your shell > to echo, so you can see what happens when ssh calls. I did, and yep, ssh2 uses the /etc/passwd shell for the account and, yes, Michael was perfectly right on that one. > It's my belief that ssh relies on your shell for everything; a good > reason was provided by Michael Stone: in case you have set a user with > a restrictive shell, ssh shouldn't allow them to circumvent that. > So, indeed, the only reasonable way is to create another UID 0 account which would allow ssh login with a static shell. However, to minimize the burden of password maintenance of two privileged accounts, I think the account should have a * as a password and RSA/DSA should be used to log onto that account. It seems to me it's quite a secure method and one that requires the potential user of this way of logging onto that account to set it up and thus to understand the way things work. Comments? marek
Attachment:
pgpLScI8sKMHN.pgp
Description: PGP signature