I have two systems running: IRIX 6.5.8 + ssh 1.2.27 (client & server) I turn off telnet, rsh, etc and only use ssh between them. On SERVER_A I want login accounts On SERVER_B , mosts users will only be able to run commands. I cannot seem to get this to work with ssh (although rsh may work). so on SERVER_A they have a real password & shell, on SERVER_B I would like to use /bin/false for the shell &/or lock the account. The only things that allow the user testr2 to ssh SERVER_B command & have the command work also allow testr2 to ssh SERVER_B and achieve a login shell, which I do not want. Is this not possible with ssh? Or do I have ssh setup incorrectly? Examples and diagnostice output: If the account on SERVER_B is a locked account: I get in B's syslog (with fascist logging turned on for sshd on B): Nov 3 08:28:46 6E:SERVRB sshd[107258]: log: Connection from ADDRESS_SERVER_A port 1023 Nov 3 08:28:46 7E:SERVRB sshd[107003]: debug: Forked child 107258. Nov 3 08:28:46 7E:SERVRB sshd[107258]: debug: Client protocol version 1.5; client software version 1.2.27 Nov 3 08:28:46 7E:SERVRB sshd[107258]: debug: Sent 768 bit public key and 1024 bit host key. Nov 3 08:28:46 7E:SERVRB sshd[107258]: debug: Encryption type: idea Nov 3 08:28:46 7E:SERVRB sshd[107258]: debug: Received session key; encryption turned on. Nov 3 08:28:46 7E:SERVRB sshd[107258]: debug: Installing crc compensation attack detector. Nov 3 08:28:46 7E:SERVRB sshd[107258]: debug: Account testr2 is locked. Nov 3 08:29:08 6E:SERVRB sshd[107258]: fatal: Connection closed by remote host. << used cntl c at client end to end Nov 3 08:29:08 7E:SERVRB sshd[107258]: debug: Calling cleanup 0x1001fa20(0x0) So locking doesn't work: I saw an email list suggesting using x instead of *LK* in the shadow file password field for locking . When I did this, the command worked, but the user was able to log in. So that isn't what I want. So then I tried using /bin/true and /bin/false as shells on SERVER_B, and with a password, rather than locking the account. Then I get the ssh session to do something, but there is no output. eg: >From client side : ssh -v SERVER_B date SSH Version 1.2.27 [mips-sgi-irix6.5], protocol version 1.5. Standard version. Does not use RSAREF. SERVER_A: Reading configuration data /etc/ssh_config SERVER_A: ssh_connect: getuid 99992 geteuid 0 anon 0 SERVER_A: Connecting to SERVER_B [SERVER_B_IP] port 22. SERVER_A: Allocated local port 1022. SERVER_A: Connection established. SERVER_A: Remote protocol version 1.5, remote software version 1.2.27 SERVER_A: Waiting for server public key. SERVER_A: Received server public key (768 bits) and host key (1024 bits). SERVER_A: Host 'SERVER_B' is known and matches the host key. SERVER_A: Initializing random; seed file /home/testr2/.ssh/random_seed SERVER_A: Encryption type: idea SERVER_A: Sent encrypted session key. SERVER_A: Installing crc compensation attack detector. SERVER_A: Received encrypted confirmation. SERVER_A: Remote: Server does not permit empty password login. SERVER_A: Trying rhosts authentication. SERVER_A: Remote: Accepted for SERVER_A [SERVER_A_IP] by /etc/hosts.equiv. SERVER_A: Requesting X11 forwarding with authentication spoofing. SERVER_A: Requesting authentication agent forwarding. SERVER_A: Sending command: /sbin/date SERVER_A: Entering interactive session. SERVER_A: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.1 seconds SERVER_A: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 SERVER_A: Exit status 255 There is no output from the date command (although there is if I have a real shell like bash i get SERVER_A: Sending command: /sbin/date SERVER_A: Entering interactive session. Fri Nov 3 13:53:32 EST 2000 SERVER_A: Transferred: stdin 0, stdout 29, stderr 0 bytes in 0.2 seconds ) >From Server side: Nov 3 13:39:32 7E:darwin sshd[107003]: debug: Forked child 115830. Nov 3 13:39:32 6E:darwin sshd[115830]: log: Connection from SERVER_A_IP port 1022 Nov 3 13:39:32 7E:darwin sshd[115830]: debug: Client protocol version 1.5; client software version 1.2.27 Nov 3 13:39:32 7E:darwin sshd[115830]: debug: Sent 768 bit public key and 1024 bit host key. Nov 3 13:39:32 7E:darwin sshd[115830]: debug: Encryption type: idea Nov 3 13:39:32 7E:darwin sshd[115830]: debug: Received session key; encryption turned on. Nov 3 13:39:32 7E:darwin sshd[115830]: debug: Installing crc compensation attack detector. Nov 3 13:39:32 7E:darwin sshd[115830]: debug: Attempting authentication for testr2. Nov 3 13:39:32 6E:darwin sshd[115830]: log: Rhosts authentication accepted for testr2, remote testr2 on SERVER_A. Nov 3 13:39:32 7E:darwin sshd[115830]: debug: Received request for X11 forwarding with auth spoofing. Nov 3 13:39:32 7E:darwin sshd[115830]: debug: bind port 6010: Address already in use Nov 3 13:39:32 7E:darwin sshd[115830]: debug: bind port 6011: Address already in use Nov 3 13:39:32 7E:darwin sshd[115830]: debug: bind port 6012: Address already in use Nov 3 13:39:32 7E:darwin sshd[115830]: debug: Allocated channel 0 of type 1. Nov 3 13:39:32 7E:darwin sshd[115830]: debug: Received authentication agent forwarding request. Nov 3 13:39:32 7E:darwin sshd[115830]: debug: Allocated channel 1 of type 10. Nov 3 13:39:32 7E:darwin sshd[115830]: debug: Executing command '/sbin/date' Nov 3 13:39:32 6E:darwin sshd[115829]: log: executing remote command as user testr2 Nov 3 13:39:32 7E:darwin sshd[115830]: debug: Entering interactive session. Nov 3 13:39:32 7E:darwin sshd[115830]: debug: Received SIGCHLD. Nov 3 13:39:32 7E:darwin sshd[115830]: debug: End of interactive session; stdin 0, stdout (read 0, sent 0), stderr 0 bytes. Nov 3 13:39:32 7E:darwin sshd[115830]: debug: Command exited with status 255. Nov 3 13:39:32 7E:darwin sshd[115830]: debug: Received exit confirmation. Nov 3 13:39:32 6E:darwin sshd[115830]: log: Closing connection to SERVER_A_IP
