search for: forced_command

The primary purpose of the attached patches is for portable OpenSSH to support changing expired passwords as specified in shadow password files. To support that, I did a couple enhancements to the base OpenBSD OpenSSH code. They are: 1. Consolidated the handling of "forced_command" into a do_exec() function in session.c. These were being handled inconsistently and allocated memory was not always being properly freed. 2. Added log messages to say why a user is disallowed by allowed_user() in session.c. Those two changes are in attachment #1, against the current...

...ssion.c Tue Aug 29 18:21:22 2000 +++ openssh-2.2.0p1/session.c Mon Sep 4 11:47:10 2000 @@ -125,6 +125,8 @@ static login_cap_t *lc; #endif +static char *saved_command = 0; + /* * Remove local Xauthority file. */ @@ -377,8 +379,11 @@ packet_integrity_check(plen, 0, type); } if (forced_command != NULL) { + saved_command = command; command = forced_command; debug("Forced command '%.500s'", forced_command); + } else { + saved_command = NULL; } if (have_pty) do_exec_pty(s, command, pw); @@ -1042,6 +1047,9 @@ env = xmalloc(envsize * sizeof(...

...y have security implications. -Lee diff -u openssh-2.1.0p2/session.c.orig openssh-2.1.0p2/session.c --- openssh-2.1.0p2/session.c.orig Fri May 19 21:49:31 2000 +++ openssh-2.1.0p2/session.c Wed May 24 12:56:12 2000 @@ -96,6 +96,7 @@ /* RSA authentication "command=" option. */ char *forced_command = NULL; +char *original_command = NULL; /* original command from protocol. */ /* LEE */ /* RSA authentication "environment=" options. */ struct envstring *custom_environment = NULL; @@ -343,6 +344,7 @@ packet_integrity_check(plen, 0, type); } if (forced_command != NULL)...

The previous version broke the case of internal-sftp without arguments. This is a fixed version. --- /var/tmp/session.c 2008-08-18 21:07:10.000000000 -0700 +++ session.c 2008-08-19 11:28:29.000000000 -0700 @@ -781,7 +781,7 @@ if (options.adm_forced_command) { original_command = command; command = options.adm_forced_command; - if (strcmp(INTERNAL_SFTP_NAME, command) == 0) + if (strcmp(INTERNAL_SFTP_NAME, command) == 0 || strncmp(INTERNAL_SFTP_NAME, command, strlen(INTERNAL_SFTP_NAME)) == 0 &a...

...rceCommand internal-sftp -l INFO work (current code in 5.1 would just end the session). Please consider for inclusion into mainline. Michael. --- /var/tmp/session.c 2008-08-18 21:07:10.000000000 -0700 +++ session.c 2008-08-18 21:12:51.000000000 -0700 @@ -781,7 +781,7 @@ if (options.adm_forced_command) { original_command = command; command = options.adm_forced_command; - if (strcmp(INTERNAL_SFTP_NAME, command) == 0) + if (strncmp(INTERNAL_SFTP_NAME, command, strlen(INTERNAL_SFTP_NAME)) == 0 && isspace(command[strlen(INTERNAL_SFT...

...keys to include 'command="scp-only"'. 2. Apply the attached patch to session.c, RCSID("$OpenBSD: session.c,v 1.191 2005/12/24 02:27:41 djm Exp $"), included in the source for portable openssh-4.3p2. The patch takes advantage of the check for the existence of a value in forced_command. Instead of simply replacing the command from the remote user with the value in forced_command, the value of forced_command is checked for the "magic value" of "scp-only" (or some more suitable value or convention). If the forced_command begins with this magic value and the comm...

I set sshd to deny root login. But I still get a password prompt! So if I get the password right, I get one error message: Received disconnect: ROOT LOGIN REFUSED FROM example.com while if I simply put in a wrong password three times I get Permission denied. If this means I set it up wrong please mail me directly - I'm not subscribed to the list. Otherwise please fix this. -- The

...S) + fatal("PAM setcred failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); +} #endif /* USE_PAM */ /* @@ -1903,6 +1920,9 @@ packet_set_interactive(have_pty || display != NULL, options.keepalives); +#ifdef USE_PAM + do_pam_setcred(); +#endif if (forced_command != NULL) goto do_forced_command; debug("Forking shell."); @@ -1918,6 +1938,9 @@ packet_set_interactive(have_pty || display != NULL, options.keepalives); +#ifdef USE_PAM + do_pam_setcred(); +#endif if (forced_command != NULL) goto do_forced_command;...

...------ next part -------------- diff -ur openssh-2.9p2/auth-options.c openssh-2.9p2_forceshell/auth-options.c --- openssh-2.9p2/auth-options.c Sun Mar 18 16:13:47 2001 +++ openssh-2.9p2_forceshell/auth-options.c Wed Oct 3 09:57:24 2001 @@ -29,6 +29,8 @@ /* "command=" option. */ char *forced_command = NULL; +/* "shell=" option. */ +char *forced_shell = NULL; /* "environment=" options. */ struct envstring *custom_environment = NULL; @@ -98,6 +100,35 @@ packet_send_debug("Pty allocation disabled."); no_pty_flag = 1; opts += strlen(cp); + goto next_...

...OGIN REFUSED FROM %.200s", get_canonical_hostname()); } else - if (pw->pw_uid == UID_ROOT && options.permit_root_login == 0) + if (pw->pw_uid == UID_ROOT && options.permit_root_login == 0 && lets_log) { if (forced_command) log_msg("Root login accepted for forced command.", forced_command); @@ -2767,7 +2805,7 @@ #endif /* Log root logins with severity NOTICE. */ - if (pw->pw_uid == UID_ROOT) + if (pw->pw_uid == UID_ROOT && lets_log) log_severity(SYSLOG_SEVERITY_NOTICE...

http://bugzilla.mindrot.org/show_bug.cgi?id=325 ------- Additional Comments From hlein at progressive-comp.com 2002-07-13 06:14 ------- Seeing this here too; it appears that when auth2.c:userauth_finish is called, forced_command has been cleared (or perhaps, never set in that forked sshd) so the call to auth_root_allowed(method) returns 0. The following patch makes forced-command logins as root work again, but I doubt this is the right fix. In fact the below may have serious problems; no warranties. Looking at (but not...

Hello ml, i've set up a ssh server with public-key authentication. But soon i realized that wrong pubkey authentications are not shown in the logs. So i wrote a small patch for monitor.c included as attachement. patch against 3.8.1p1 $ patch -p0 < /path/to/keyauth-loggin.patch Kindly regards, Jan Gehring

...+28,12 @@ #include "auth.h" #include "session.h" +#ifdef HAVE_BSD_AUTH_H +# include <login_cap.h> +# include <bsd_auth.h> +static char *bsduser=NULL; /* XXX -- ugly, but we need the original */ +#endif + /* import */ extern ServerOptions options; extern char *forced_command; @@ -258,7 +264,10 @@ NULL, password) == SIASUCCESS) { authenticated = 1; } -#else /* !USE_PAM && !HAVE_OSF_SIA */ +#elif defined(HAVE_BSD_AUTH_H) + authenticated = auth_userokay(bsduser, NULL, + "auth-ssh", password); +#else /* !USE_PAM && !HAVE_OSF_...

...ue Aug 22 19:46:23 2000 +++ openssh-2.2.0p1/auth1.c Sat Oct 14 19:31:56 2000 @@ -18,18 +18,9 @@ #include "auth.h" #include "session.h" -#ifdef HAVE_OSF_SIA -# include <sia.h> -# include <siad.h> -#endif - /* import */ extern ServerOptions options; extern char *forced_command; -#ifdef HAVE_OSF_SIA -extern int saved_argc; -extern char **saved_argv; -#endif /* HAVE_OSF_SIA */ /* * convert ssh auth msg type into description @@ -310,11 +301,7 @@ authenticated = auth_pam_password(pw, password); #elif defined(HAVE_OSF_SIA) /* Do SIA auth with password */ - if...

Could everyone please test the latest snapshots as we will be making a new release soon. If you have any patches you would like us to consider, please resend them to the list ASAP. -d -- | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer

Attached is a patch which adds a log= directive to authorized_keys. The text in the log="text" directive is appended to the log line, so you can easily tell which key is matched. For instance the line: log="hello world!",no-agent-forwarding,command="/bin/true",no-pty, no-user-rc,no-X11-forwarding,permitopen="127.0.0.1:7" ssh-rsa AAAAB3Nza....xcgaK9xXoU=

Hi. To compartmentalize things a bit (e.g., to help limit the damage should one of my machines be hacked and my private RSA keys stolen) I use different RSA key pairs on my different client machines. So it occurs to me that it would be nice if ssh could log which key was used when logging in to a particular account that has more than one entry in .ssh/authorized_keys. Right now it simply says

...* 23,28 **** --- 23,34 ---- # include <siad.h> #endif + #ifdef HAVE_BSD_AUTH + # include <login_cap.h> + # include <bsd_auth.h> + static char *bsduser=NULL; /* XXX -- ugly, but we need the original */ + #endif + /* import */ extern ServerOptions options; extern char *forced_command; *************** *** 315,321 **** NULL, password) == SIASUCCESS) { authenticated = 1; } ! #else /* !USE_PAM && !HAVE_OSF_SIA */ /* Try authentication with the password. */ authenticated = auth_password(pw, password); #endif /* USE_PAM */ --- 321,330 ---- N...

...ns.c =================================================================== RCS file: /home/markus/cvs/ssh/auth-options.c,v retrieving revision 1.20 diff -u -r1.20 auth-options.c --- auth-options.c 30 Aug 2001 20:36:34 -0000 1.20 +++ auth-options.c 22 Oct 2001 18:26:52 -0000 @@ -53,7 +53,9 @@ xfree(forced_command); forced_command = NULL; } +#ifdef WITH_TCPFWD channel_clear_permitted_opens(); +#endif } /* @@ -257,8 +259,10 @@ xfree(patterns); goto bad_option; } +#ifdef WITH_TCPFWD if (options.allow_tcp_forwarding) channel_add_permitted_opens(host, port); +#endif xfree(pa...

...p until the user has been authenticated or the connection is closed, do_authloop() returns only if *************** *** 1142,1148 **** /* Check if the user is logging in as root and root logins are disallowed. */ if (pw->pw_uid == 0 && !options.permit_root_login) { ! if (forced_command) log("Root login accepted for forced command."); else packet_disconnect("ROOT LOGIN REFUSED FROM %.200s", --- 1155,1161 ---- /* Check if the user is logging in as root and root logins are disallowed. */ if (pw->pw_uid == 0 && !options.permit_roo...