Hi, I'm trying to create an dynamic dns system by using the nsupdate (or Net::DNS) trough a non-passphrase protected ssh session. I've keygen'ed an extra key, with no passphrase and using it, i execute a litte script on the server, which updates te DNS records. (something like this: ssh pickup /usr/local/bin/updatedns 10.1.2.3) This al works fine and dandy. I would like to protect this scheme more by using the command="<command>" feature, the only problem is that i can't use an ip-number in authorized_keys (because i do not know it). In an interactive shell, the env variable 'SSH_CLIENT' is set, and this variable can easily be parsed for the connecting ipnumber. The real problem is that this variable is _not_ set when just executing a remote command. Is it possible to retrieve the ipnumber of the connecting client while executing a remote command? Simply turning on the enviroment variables should suffice. im using OpenSSH version 2.2.0p1 on Debian GNU. gr, Sendy De Graaf sendy at dds.nl
hi, i cannot reproduce this: folly% cat bin/echoclient #!/bin/sh env|grep SSH folly% grep bin/echoclient .ssh/authorized_keys2 command="/home/markus/bin/echoclient",from="::1" ssh-dss AAAAB3NzaC1kc3MAAACBAKJzhwF2Xh7WhRsrid6Ha8iWhlsiV9FfXnLlnoOHhyibTtKwkCp7BaryJIZtPGKrICFRmev1Iyvo7gbHWbcBBOtLcikxa5Nta3SgrS5ZidxpgVlkXBUAJ9l8BuMXuvzVnphZcaHOrymaEH9No6Mik1VTBNBjMvr+cqJXGMewIv5RAAAAFQD8TaAd/JFQ88M/XMiUKMguRNQ+CQAAAIAWFPia8OHjuSgQk46eag9vgQKeU8GsxYbDWc5gn237XjZyehgbE7e81BbJ29qV5fUchHw8AUTavudhiS3urFPL9EbThVKQtXQxdb4Pzy2shqII49Hhu+ge60d8OoFL3mnkQ0GaiZZozxICWlYyGc1AuLDcynbqTHHLcV5zpGVG/wAAAIAd6id68R4fQrRT+ghS308pYj0xWppdRZdD8OfZBUIK80wMWtn5r8htwBu1qLVU2wTANU+lopRSDZBuSOxku3nzETCwUqBbYRFOQh9R0TPgyxzsnqGrdp6ul5NB0YoowYlr6O9ftDvMHj8rDmwEY/Bsiv2XASac5W9wG6jTjWe/QA== markus at folly folly% ssh ::1 SSH_CLIENT=::1 43697 22 SSH_TTY=/dev/ttyp9 Connection to ::1 closed. folly% so it works fine. On Sun, Sep 24, 2000 at 02:47:36PM +0200, Sendy wrote:> Hi, > > I'm trying to create an dynamic dns system by using the nsupdate (or Net::DNS) trough a non-passphrase protected ssh session. I've keygen'ed an extra key, with no passphrase and using it, i execute a litte script on the server, which updates te DNS records. (something like this: ssh pickup /usr/local/bin/updatedns 10.1.2.3) > > This al works fine and dandy. I would like to protect this scheme more by using the command="<command>" feature, the only problem is that i can't use an ip-number in authorized_keys (because i do not know it). > > In an interactive shell, the env variable 'SSH_CLIENT' is set, and this variable can easily be parsed for the connecting ipnumber. The real problem is that this variable is _not_ set when just executing a remote command. > > Is it possible to retrieve the ipnumber of the connecting client while executing a remote command? Simply turning on the enviroment variables should suffice. > > im using OpenSSH version 2.2.0p1 on Debian GNU. > > gr, > Sendy De Graaf > sendy at dds.nl >
On Sun, 24 Sep 2000, Sendy wrote:> In an interactive shell, the env variable 'SSH_CLIENT' is set, and > this variable can easily be parsed for the connecting ipnumber. The > real problem is that this variable is _not_ set when just executing a > remote command.Are you sure this doesn't happen? [damien at neon openssh]$ ssh localhost 'env|grep SSH_CLIENT' SSH_CLIENT=127.0.0.1 728 22 -d -- | ``The power of accurate observation is | Damien Miller <djm at mindrot.org> | commonly called cynicism by those who | @Work <djm at ibs.com.au> | have not got it'' - George Bernard Shaw | http://www.mindrot.org
Hi,
we (sendy & me) think it is a bash problem.
i'm testing on a debian woody i386 system.
bash-2.04$ ssh localhost 'env | grep SSH'
daniel at localhost's password:
SSH_AUTH_SOCK=/tmp/ssh-IcJ10349/agent.10349
so i made a small test program:
--- code ---
#include <stdio.h>
#include <unistd.h>
int main()
{
char *argv[3];
char *env[2];
env[0] = "SSH_WHATEVER=OK";
env[1] = "SSH_CLIENT=127.0.0.1 929 22";
env[2] = NULL;
argv[0] = "-bash";
argv[1] = NULL;
execve("/bin/bash", argv, env);
return 0;
}
--- end code ---
in this program the SSH_CLIENT doesn't show up either:
bash-2.04$ ./test
daniel at this:/usr/local/src/test-execve$ env | grep SSH
SSH_WHATEVER=OK
if i change the shell in the program to "/bin/ash" (or
"/bin/csh") everything is ok:
bash-2.04$ ./test
$ env | grep SSH
SSH_CLIENT=127.0.0.1 929 22
SSH_WHATEVER=OK
In the bash source the SSH_CLIENT is treated as a 'special variable' and
if we remove this treatment the patched bash version works ok with sshd. So i
have mailed the debian bash maintainer about it
in the meantime we use the ash shell for our dynamic dns system, which works
allright
regards,
Daniel Saakes
On Fri, 29 Sep 2000 11:41:05 -0400, Michael Stone wrote:> >On Fri, Sep 29, 2000 at 08:25:25AM -0700, Mark D. Baushke wrote: >> Looking at past sources, it appears that bash introduced the idea of >> unexporting the SSH_CLIENT variable in version 2.02 (not a new feature >> of version 2.04 as Mike suggested) and has been in each subsequent >> release of bash. > >Did you actually check this? Yes, bash has tried to do stuff with ssh >since 2.02. But the entry for changes between bash-2.04-devel and >bash-2.03-release contains: >t. The SSH_CLIENT environment variable is no longer auto-exported.I *thought* I had checked it. However, it helps if you recompile the test program with the path to the older version of bash instead of leaving it point to a new version. Clearly, I should not have posted until after I was more fully awake. Mike is absolutely correct. Neither 2.02 nor 2.03 exhibit the problems with SSH_CLIENT at all. However, adding an export SSH_CLIENT when appropriate should allow Daniel to work around his problem. if [ "z$SSH_CLIENT" != "z" ]; then export SSH_CLIENT fi>And certainly in my testing it affects 2.04 but *not* 2.03.Yes, now that I have recompiled the test program, I get the same results. -- Mark