Hi, Sorry to post this here again, I already posted it in the users mailing list but haven't got very far. I really need to get this resolved ASAP, as it's causing a big security headache for us. If anyone can help that would be wonderful. The original thread is here: http://marc.info/?l=secure-shell&m=129562817820176&w=2 I am having a very strange problem with SSH. Essentially, I'm using forced commands to restrict access based on public key (there are around 2000 public keys). It appears to work okay, but when I look at the ssh -v output I see that the client/server is actually executing all the forced commands for RSA keys (I am connecting with an RSA key) until it "hits" my key. Anyone have any idea why this is happening? I have no clue where to even look for hints as to what would cause this? Here's an example of the output I am seeing (condensed, the real output is ~3000 lines): OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009 debug1: Authentication succeeded (publickey). debug2: fd 5 setting O_NONBLOCK debug2: fd 6 setting O_NONBLOCK debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Requesting no-more-sessions at openssh.com debug1: Entering interactive session. debug1: Remote: Forced command: gitosis-serve osjokine debug1: Remote: Port forwarding disabled. debug1: Remote: X11 forwarding disabled. debug1: Remote: Agent forwarding disabled. debug1: Remote: Pty allocation disabled. [... hundreds more like this ...] debug1: Remote: Forced command: gitosis-serve obeattie debug1: Remote: Port forwarding disabled. debug1: Remote: X11 forwarding disabled. debug1: Remote: Agent forwarding disabled. debug1: Remote: Pty allocation disabled. debug1: Remote: Forced command: gitosis-serve osjokine debug1: Remote: Port forwarding disabled. debug1: Remote: X11 forwarding disabled. debug1: Remote: Agent forwarding disabled. debug1: Remote: Pty allocation disabled. [... hundreds more again ...] debug1: Remote: Forced command: gitosis-serve obeattie debug1: Remote: Port forwarding disabled. debug1: Remote: X11 forwarding disabled. debug1: Remote: Agent forwarding disabled. debug1: Remote: Pty allocation disabled. debug2: callback start ?Oliver
On 1/02/11 8:52 PM, Oliver Beattie wrote:> Hi, > > Sorry to post this here again, I already posted it in the users > mailing list but haven't got very far. I really need to get this > resolved ASAP, as it's causing a big security headache for us. If > anyone can help that would be wonderful. The original thread is here: > http://marc.info/?l=secure-shell&m=129562817820176&w=2 > > I am having a very strange problem with SSH. Essentially, I'm using > forced commands to restrict access based on public key (there are > around 2000 public keys). It appears to work okay, but when I look at > the ssh -v output I see that the client/server is actually executing > all the forced commands for RSA keys (I am connecting with an RSA key) > until it "hits" my key. > > Anyone have any idea why this is happening? I have no clue where to > even look for hints as to what would cause this?Do you actually see the command being executed? Looking at the code, that output is just from the option parser, not the actual execution (in auth-options.c:auth_parse_options()). The forced command that is actually executed gets logged on the server side as "Forced command (key option) " (at loglevel debug and above, in session.c). If you are actually seeing the command executed multiple times, could you please post a small sample of the authorized_keys file (feel free to elide the actual keys). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On 1 February 2011 13:34, Damien Miller <djm at mindrot.org> wrote:> > The bug that caused the authorized_keys file to be parsed in this way > was fixed in openssh-5.6 (or possibly earlier). You should try the most > recent release (5.7)Hmm? we are bound to using Debian packages, I guess it was a little earlier, as we are using the latest in Squeeze which is 5.5: http://packages.debian.org/squeeze/openssh-server I'll see what can be done about upgrading. Thank you for your help in getting to the bottom of this! ?Oliver
Apparently Analagous Threads
- [Bug 387] New: command="" in authorized_keys fails when sshd_config has "PermitRootLogon forced-commands-only"
- PermitRootLogin=forced-commands-only does not work with UsePrivilegeSeparation=yes
- [Bug 1197] Enhancement request to enable fips compatibility mode in OpenSSH
- Unable to execute the commands at remote machine after RSA handshake
- Test Failure OpenSSH 7.1 P2 on HPE NSE for key-commands