search for: mm_audit_run_command

...port only that the connection was dropped by the server. The server, in debug mode, shows: Feb 17 16:14:01 is-rhsat-lv02 sshd[13008]: Starting session: forced-command (config) '/tmp/s.sh' on pts/3 for kimmell from 198.253.183.24 port 55673 Feb 17 16:14:01 is-rhsat-lv02 sshd[13008]: debug3: mm_audit_run_command entering command /tmp/s.sh Feb 17 16:14:01 is-rhsat-lv02 sshd[13008]: debug3: mm_request_send entering: type 114 Feb 17 16:14:01 is-rhsat-lv02 sshd[13008]: debug3: mm_request_receive_expect entering: type 115 Feb 17 16:14:01 is-rhsat-lv02 sshd[12985]: debug3: mm_request_receive entering Feb 17 16:1...

...s recording (badly) which subsystem was requested, but this is before the forced command is applied in do_exec(). https://github.com/openssh/openssh-portable/blob/V_7_4_P1/session.c#L1938-L1944 Further evidence that this is the case is the audit calls that log the command being executed: debug3: mm_audit_run_command entering command /opt/app/workload/secgov/opt/sact-central/bin/receive.ksh debug3: mm_audit_end_command entering command /opt/app/workload/secgov/opt/sact-central/bin/receive.ksh So the command appears to have been correctly overridden and nothing in the debug logs explains the behaviour you'r...

On 30.06.23 17:56, MCMANUS, MICHAEL P wrote: > The actual command is similar to the following (parameters inserted to protect the source): > (print ${FQDN} ; print ${Environment} ; cat ${OutFileXML}) | \ > ssh -Ti ${EmbeddedPrivateKey} \ > -o HostKeyAlias="${Alias}" \ > -o

On 30/06/2023 09:56, Damien Miller wrote: > It's very hard to figure out what is happening here without a debug log. > > You can get one by stopping the listening sshd and running it manually > in debug mode, e.g. "/usr/sbin/sshd -ddd" Or starting one in debug mode on a different port, e.g. "-p99 -ddd"