Re: Restrict SSH server to execute just a single program

[Jakub Jelen <jjelen@xxxxxxxxxx>]

On 4/13/23 21:41, Jose David Bravo A wrote:
> [...]
> And my other question is:
>
> I implemented an SSH server using the example in ssh_server.c as a base.
>
> The purpose of this SSH server is to only allow the execution of a 
> single program, without bash, port forwarding, or agent forwarding. Will 
> these additional functionalities be disabled if my callbacks are 
> configured like this?:
>
> struct ssh_server_callbacks_struct server_cb = {
>          .userdata = &sdata,
>          .auth_password_function = auth_password,
>          .channel_open_request_session_function = channel_open};
>
> struct ssh_channel_callbacks_struct channel_cb = {
>      .userdata = &cdata,
>      .channel_pty_request_function = pty_request,
>      .channel_pty_window_change_function = pty_resize,
>      .channel_shell_request_function = shell_request,
>      .channel_data_function = data_function};
>
> ssh_callbacks_init(&server_cb);
> ssh_callbacks_init(&channel_cb);
>
> Or will the client be able to execute any of these "forbidden" 
> functionalities?

The client should not be able to initiate any forwarding when there is 
no respective channel callback to handle them on the server side.

But it should be very easy to verify that by trying to run OpenSSH 
client with some forwarding options and observe the output.

Regards,
--
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.