How can I set path for non-interactive user authenticated using LDAP?

2

On a Mac running OSX 10.7.5, I need to set the PATH for non-interactive users who connect via ssh and are authenticated using LDAP. It's the same question that was asked (and answered) here:

https://serverfault.com/questions/139426/updating-the-path-for-running-an-command-through-ssh-with-ldap-user-account

but I'm no familiar enough with PAM or LDAP to fully understand the answer.

It looks like I need to:

add a line to /etc/pam.d/sshd saying "auth      required    pam_env.so"
create a file named /etc/security/pam_env.conf

but the documentation for pam_env.conf is really confusing and I can't tell if I need a DEFAULT or an OVERRIDE value.

Am I right that those are the correct steps? What is the line I should put into pam_env.conf?

Thanks, Chris

p.s. I tried putting the line "auth required pam_env.so debug" into /etc/pam.d/sshd and I'm not seeing anything in /var/log/system.log that looks like it is coming from pam_env.so. I also created /etc/security/pam_env.conf and put in it the line "PATH DEFAULT=/usr/fred OVERRIDE=/usr/george" and it had no visible effect on PATH.

p.p.s If I execute:

ssh USER@MACHINE echo \$SHELL

It says /bin/bash. If I then log onto MACHINE and add this line to /etc/bashrc:

export Test=Fred

and return to my machine and execute:

ssh USER@MACHINE echo \$Test

it returns nothing. When I log on this way using LDAP, it doesn't execute /etc/bashrc.

p.p.p.s Some additional information that might be important: On MACHINE there is no local user named USER. MACHINE has been set up to do LDAP authentication so when I ssh USER@MACHINE, my $HOME is set to /Network/Servers/blah/blah/Users/USER. If I edit /Network/Servers/blah/blah/Users/USER/.bashrc to set the PATH, it works correctly for me, but it's not a great solution because it means every person who wishes to access this server has to edit their network .bashrc.

Betty Crokker

Posted 2013-12-05T21:24:02.560

Reputation: 139

You could use shell initialization files for this. E.g. in case your users have their shell set to be /bin/bash, use /etc/bashrc. – Sami Laine – 2013-12-06T11:21:00.787

Thanks Sami, I tried it and it was a no-go. I edited my question to show what happened. – Betty Crokker – 2013-12-06T15:45:51.253

Well, now that I actually read the manual page instead of relying on my memory, I find it clearly states that only ~/.bashrc is consulted for non-login shells. Sorry for a shot in the dark. – Sami Laine – 2013-12-06T16:17:58.830

Answers

0

This is a modification of https://askubuntu.com/questions/382485/ssh-how-to-force-execution-of-a-script-etc-sshrc-forcecommand-on .

With the following you can force sourcing /etc/bashrc for all SSH logins, interactive or not. This may cause some problems to those users who rely on /etc/bashrc not getting executed for non-interactive logins, so proceed with caution (though this is exactly what you're asking for, so you probably know the implications).

First add ForceCommand /usr/local/bin/sshd_envs to /etc/sshd_config. Then put the following into /usr/local/bin/sshd_envs:

#!/bin/bash

source /etc/bashrc

if [ -n "$SSH_ORIGINAL_COMMAND" ]; then
  eval $SSH_ORIGINAL_COMMAND
else
  exec $SHELL
fi

Whatever environment settings you then put into /etc/bashrc will get into environment for every SSH login.

Please note that default /etc/bashrc for OS/X will exit immediately after evaluating first few lines (because PS1 is not set for non-interactive shells):

if [ -z "$PS1" ]; then
  return
fi

So either comment out these lines or put everything you want to get evaluated for your non-interactive SSH logins before those lines.

Sami Laine

Posted 2013-12-05T21:24:02.560

Reputation: 1 002

Asked: 2013-12-05T21:24:02.560

Viewed: 1 118 times

Active: 2013-12-06T16:55:38.587