On Wed, Mar 11, 2009 at 15:39:07 -0500, Iain Morgan
wrote:> Hi,
>
> I noticed some behaviour recently that seems a bit odd. I have a
> command-restricted public key that I use for checkouts from a local CVS
> server. If I have the command-restricted key loaded into ssh-agent and
> connect to the server, but authenticate via password rather than the key
> (to get a login session) the forced command is still applied.
>
> In other words, I get the ssh-askpass dialogue box asking if I want to
> use the key and select 'Cancel.' I then get a password prompt and
> successfully authenticate, but rather than getting a login shell I'm
> apparently running the cvs command. If I don't have the key loaded,
I'm
> able to get a login session as expected.
>
> Admittedly, the server is running an older version of OpenSSH (4.3p1)
> and I have not verified that this behaviour exists with the current
> version of OpenSSH, but it seems to me that the restriction should only
> be applied if I actually used the key.
>
> Any thoughts?
>
I suppose for clarity's sake I should have mentioned that the key is
added with the -c option, so confirmation is required. Anyway, this
looks like this was fixed with more recent versions of OpenSSH. I am not
able to reproduce the problem with 5.1p1. Sorry for the false alarm.
--
Iain Morgan