[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: impossible d'accéder à mon desktop en ssh

Le 05-03-2010, à 17:48:26 +0100, Julien (julien@nura.eu) a écrit :

> Le vendredi 05 mars 2010 à 17:32 +0100, steve a écrit :
> > Je viens de découvrir que cette option possède une valeur dédiée à ce
> > genre d'opérations. De « man sshd_config » :
> > 
> > If this option is set to “forced-commands-only”, root login with public
> > key authentication will be allowed, but only if the command option has
> > been specified (which may be useful for taking remote backups even if
> > root login is normally not allowed).  All other authentication methods
> > are disabled for root.
> Est-ce que la commande peut être bash ? 
> Les tests chez moi ne sont pas très concluant ou je n'ai rien compris :
> - Je change /etc/ssh/sshd_config :
> "PermitRootLogin yes" vers "PermitRootLogin forced-commands-only"
> - Je redémarre ssh 
> - "ssh root@machine" me demande un mot de passe, le login ne fonctionne
> pas (normal !)
> - "ssh root@machine pwd" idem demande de mot de passe, le login ne passe
> pas (pas normal je dirais!)
> auth.log me dit :
> Est-ce qu'il faut rajouté les commandes autorisée
> dans .ssh/authorized_keys par exemple ?

D'après man sshd, oui :

The options (if present) consist of comma-separated option
specifications.  No spaces are permitted, except within double quotes.
The following option specifications are supported (note that option
keywords are case-insensitive):

	  command="command" Specifies that the command is executed whenever
this key is used for authentication.  The command supplied by the user
(if any) is ignored.  The command is run on a pty if the client requests
a pty; otherwise it is run without a tty.  If an 8-bit clean channel is
required, one must not request a pty or should specify no-pty.  A quote
may be included in the command by quoting it with a backslash.  This
option might be useful to restrict certain public keys to perform just a
specific operation.  An example might be a key that permits remote
backups but nothing else.  Note that the client may specify TCP and/or
X11 forwarding unless they are explicitly prohibited.  The command
originally supplied by the client is available in the
SSH_ORIGINAL_COMMAND environment variable.  Note that this option
applies to shell, command or subsystem execution.

Tiens-mous au courant. 

Reply to: