openssh unix dev - Dec 2007 - ForceCommand - Subsystem

Hi All

First of all apologize for my bad English ? it is not my native language.

I'm using ssh for my everyday work. And I have noticed strange behaviour 
in sshd daemon.

In sshd_config file there is option ForceCommand, and if I'm making sftp 
connection it look like command is also executed, I receive error 
message and connection is lost. In my opinion ForceCommand should not be 
considered when subsystem is activated.


I have made a patch (please see attached file) it will probably solve 
the problem.


Best Regareds

Wojak


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch_file
Url:
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20071220/d2c0865d/attachment.ksh

This also effects the "command=" limitor for key authentication. 
Which
could become a security risk for folks expecting the current behavior.

Even at that I would expect "ForceCommand" to always come in play
(could
be because it was documented states it would).  It would be better to 
have "ForceNonSubsystemCommandForNonKeyAuthentication" directive (not
that
I would give up an evening coding that for submission =).

- Ben

On Thu, 20 Dec 2007, Wojtek Kupiec wrote:
> Hi All
>
> First of all apologize for my bad English ??? it is not my native language.
>
> I'm using ssh for my everyday work. And I have noticed strange
behaviour in
> sshd daemon.
>
> In sshd_config file there is option ForceCommand, and if I'm making
sftp
> connection it look like command is also executed, I receive error message
and
> connection is lost. In my opinion ForceCommand should not be considered
when
> subsystem is activated.
>
>
> I have made a patch (please see attached file) it will probably solve the 
> problem.
>
>
> Best Regareds
>
> Wojak
>
>
>