Secure Shell
Re: Multiple forced commands being executed Jan 22 2011 10:50AM
Dominik George (dev naturalnik de)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Oliver,

oh, sure, I didn't exactly get that. I wil ltry to reproduce that ...

- -nik

Am 22.01.2011 11:27, schrieb Oliver Beattie:
> Hi Dominik,
>
> Thanks for your reply, but I'm not sure I've properly explained
> what I mean. In essence, from what I can see, it isn't just
> executing the forced command for the key that is being used, it
> executes the commands for *every* RSA key in the authorized_keys
> file, meaning I get hundreds of commands being run for each login.
> The program is itself checking the $SSH_ORIGINAL_KEY.
>
> Hope this explains it better.
>
> ?Oliver
>
>
>
> On 22 January 2011 09:43, Dominik George <nik (at) naturalnet (dot) de [email concealed]>
> wrote:
>> Hi Oliver,
>>
>> this is essentially the point of the forced commands. SSH will
>> execute them, no matter what the client actually provides as a
>> command.
>>
>> If you instead want to jsut verify if the command is allowed, you
>> will need a wrapper script as forced command that checks the
>> $SSH_ORIGINAL_COMMAND environment variable and then decides what
>> to do.
>>
>> Again, the forced-commands-only is for forcing a command, not
>> for verifying it.
>>
>> -nik
>>
>>> Hi there,
>>>
>>> I am having a very strange problem with SSH. Essentially, I'm
>>> using forced commands to restrict access based on public key
>>> (there are around 2000 public keys). It appears to work okay,
>>> but when I look at the ssh -v output I see that the
>>> client/server is actually executing all the forced commands for
>>> RSA keys (I am connecting with an RSA key) until it "hits" my
>>> key.
>>>
>>> Anyone have any idea why this is happening? I have no clue
>>> where to even look for hints as to what would cause this?
>>>
>>> Here's an example of the output I am seeing (condensed, the
>>> real output is ~3000 lines):
>>>
>>> OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009 debug1: Authentication
>>> succeeded (publickey). debug2: fd 5 setting O_NONBLOCK debug2:
>>> fd 6 setting O_NONBLOCK debug1: channel 0: new
>>> [client-session] debug3: ssh_session2_open: channel_new: 0
>>> debug2: channel 0: send open debug1: Requesting
>>> no-more-sessions (at) openssh (dot) com [email concealed] debug1: Entering interactive
>>> session. debug1: Remote: Forced command: gitosis-serve
>>> osjokine debug1: Remote: Port forwarding disabled. debug1:
>>> Remote: X11 forwarding disabled. debug1: Remote: Agent
>>> forwarding disabled. debug1: Remote: Pty allocation disabled.
>>> [... hundreds more like this ...] debug1: Remote: Forced
>>> command: gitosis-serve obeattie debug1: Remote: Port forwarding
>>> disabled. debug1: Remote: X11 forwarding disabled. debug1:
>>> Remote: Agent forwarding disabled. debug1: Remote: Pty
>>> allocation disabled. debug1: Remote: Forced command:
>>> gitosis-serve osjokine debug1: Remote: Port forwarding
>>> disabled. debug1: Remote: X11 forwarding disabled. debug1:
>>> Remote: Agent forwarding disabled. debug1: Remote: Pty
>>> allocation disabled. [... hundreds more again ...] debug1:
>>> Remote: Forced command: gitosis-serve obeattie debug1: Remote:
>>> Port forwarding disabled. debug1: Remote: X11 forwarding
>>> disabled. debug1: Remote: Agent forwarding disabled. debug1:
>>> Remote: Pty allocation disabled. debug2: callback start
>>>
>>> ?Oliver
>>>
>>
>>
>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQJJBAEBAgAzBQJNOrZ8LBpodHRwOi8vd3d3Lm5hdHVyYWxuaWsuZGUvZ3BnLXBv
bGljeS50eHQuYXNjAAoJEOl28jJzc23tWr4P/0+7rdRe0VyWjig56H4c5MxkzQjD
uB4+vEqAOumZfKClphzniTk5deEtQELiPp3Z5cTa423upIyY9i5vzfnDXL5zkhAQ
isAG0VFs4nlCEZkWFvus03gf2L0RidL4wEkv5KNYZGP0oPX97QD+KPMYN4HsXpkQ
3AUsuMPxZrFFLCDjYppOlLE92a05wLN38+L0g+TKynk0qX+O5G5P54cr/zLMZyAM
zuxklGcsEoT+QKbc0BKwAxQf2FEdxFeliK6lw06k94wxnASIn5nYfcYKXmjgn/Co
iqw7QGlGdog1IiBQK5hDHA4WuBsctxw4LCUKYIwZVgbffZs8epC12iYFJGGxfnQG
8A6lEK1v4B3YrCMlnEz5An7q+5oDVvtfFJMLtcnME28dYva9G5Bma89GZLGQb2t5
C0LbXxD6VP//E/4VAX+JTwNOfP6FcaUmcRSTlAQmiawqKExD4v5WnMSOM2EitvDZ
jAU/06raIeQ1l37UQmt1XyhzvyT3r/T5QqyXnRmMuOkMCcic9C3DShsPG//mes0n
K0NhU36kDOgwSXQVcGjsmO6Zo9Wu4uNGs8LsUNjCKecJTBkVnBLSiqoZTglIzyPV
BtL6f8JHPEfrrpGgMtLFAHYpsGRKFYFdwsiGIh4wMKCu262WIuqv1ZTwefcqQgwK
+fIL4qO9n26qidTS
=lxJp
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus