On Wednesday, August 30, 2006 10:12:27 AM -0500 Nicolas Williams <Nicolas.Williams%sun.com@localhost> wrote:
On Wed, Aug 30, 2006 at 12:54:01PM +0200, Jon Bright wrote:Nicolas Williams wrote: > >>> - An attribute is needed to set environment variables for the >>> environment where the command/shell/subsystem is executed. >> Why? Again, I think it's too late for this kind of substantive >> change. > > Because the facility you patterned this after (right? OpenSSH?) has a > way to associate environment variables with public keys. I didn't write the original version of this draft, I've just been shepherding it since it became a WG working item. It'd be nice to document how OpenSSH does this, but I think it's too late to make this the job of this draft.But then OpenSSH can't implement this protocol without changing its existing behaviour.
Therefore I think the fair thing to do would be to either allow the 'command-override' command to override subsystem commands also
I don't think so.Subsystems are not the same as shells. A subsystem name is essentially a protocol constant used to request a particular service; it is not a command. It's appropriate to limit what subsystems may be used, but not to replace a subsystem with a connection to a random program that does not speak the protocol defined for that subsystem. I understand that this is the current OpenSSH behavior, but I believe that behavior is problematic, and that defining a useful, interoperable behavior is more important than being consistent with OpenSSH.
OpenSSH _can_ implement this protocol without eliminating its existing behavior and without breaking backward-compatibility, by introducing a new keyword which has the effect specified for command-override.
-- Jeff