Secure Shell
Re: Multiple forced commands being executed Jan 22 2011 10:27AM
Oliver Beattie (oliver obeattie com)
Hi Dominik,

Thanks for your reply, but I'm not sure I've properly explained what I
mean. In essence, from what I can see, it isn't just executing the
forced command for the key that is being used, it executes the
commands for *every* RSA key in the authorized_keys file, meaning I
get hundreds of commands being run for each login. The program is
itself checking the $SSH_ORIGINAL_KEY.

Hope this explains it better.

?Oliver

On 22 January 2011 09:43, Dominik George <nik (at) naturalnet (dot) de [email concealed]> wrote:
> Hi Oliver,
>
> this is essentially the point of the forced commands. SSH will execute
> them, no matter what the client actually provides as a command.
>
> If you instead want to jsut verify if the command is allowed, you will
> need a wrapper script as forced command that checks the
> $SSH_ORIGINAL_COMMAND environment variable and then decides what to do.
>
> Again, the forced-commands-only is for forcing a command, not for
> verifying it.
>
> -nik
>
>> Hi there,
>>
>> I am having a very strange problem with SSH. Essentially, I'm using
>> forced commands to restrict access based on public key (there are
>> around 2000 public keys). It appears to work okay, but when I look at
>> the ssh -v output I see that the client/server is actually executing
>> all the forced commands for RSA keys (I am connecting with an RSA key)
>> until it "hits" my key.
>>
>> Anyone have any idea why this is happening? I have no clue where to
>> even look for hints as to what would cause this?
>>
>> Here's an example of the output I am seeing (condensed, the real
>> output is ~3000 lines):
>>
>> OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
>> debug1: Authentication succeeded (publickey).
>> debug2: fd 5 setting O_NONBLOCK
>> debug2: fd 6 setting O_NONBLOCK
>> debug1: channel 0: new [client-session]
>> debug3: ssh_session2_open: channel_new: 0
>> debug2: channel 0: send open
>> debug1: Requesting no-more-sessions (at) openssh (dot) com [email concealed]
>> debug1: Entering interactive session.
>> debug1: Remote: Forced command: gitosis-serve osjokine
>> debug1: Remote: Port forwarding disabled.
>> debug1: Remote: X11 forwarding disabled.
>> debug1: Remote: Agent forwarding disabled.
>> debug1: Remote: Pty allocation disabled.
>> [... hundreds more like this ...]
>> debug1: Remote: Forced command: gitosis-serve obeattie
>> debug1: Remote: Port forwarding disabled.
>> debug1: Remote: X11 forwarding disabled.
>> debug1: Remote: Agent forwarding disabled.
>> debug1: Remote: Pty allocation disabled.
>> debug1: Remote: Forced command: gitosis-serve osjokine
>> debug1: Remote: Port forwarding disabled.
>> debug1: Remote: X11 forwarding disabled.
>> debug1: Remote: Agent forwarding disabled.
>> debug1: Remote: Pty allocation disabled.
>> [... hundreds more again ...]
>> debug1: Remote: Forced command: gitosis-serve obeattie
>> debug1: Remote: Port forwarding disabled.
>> debug1: Remote: X11 forwarding disabled.
>> debug1: Remote: Agent forwarding disabled.
>> debug1: Remote: Pty allocation disabled.
>> debug2: callback start
>>
>> ?Oliver
>>
>
>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus