search for: ssh_original_command

Displaying 20 results from an estimated 51 matches for "ssh_original_command".

2014 Feb 05
1
Make SSH_ORIGINAL_COMMAND available in AuthorizedKeysCommand context
Hi Using SSH_ORIGINAL_COMMAND in AuthorizedKeys is so helpful, I'd like to know if it might be possible to access it in the AuthorizedKeysCommand context (via env ?). Is this possible ? can anybody give me advice on going into this ? If possible, I'll use this SSH_ORIGINAL_COMMAND to send client specifics information...
2014 Jul 08
2
[Bug 2253] New: No "$@"-like SSH_ORIGINAL_COMMAND leads to escaping, arg-sep and metachar issues
https://bugzilla.mindrot.org/show_bug.cgi?id=2253 Bug ID: 2253 Summary: No "$@"-like SSH_ORIGINAL_COMMAND leads to escaping, arg-sep and metachar issues Product: Portable OpenSSH Version: 6.6p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Ass...
2005 May 11
0
SSH_ORIGINAL_COMMAND and no forced command
i just noticed that the env. variable SSH_ORIGINAL_COMMAND is no more set if there is no forced command. was there a reason to do so? Background: I'm using a wrapper that can be used as forced command and as shell. (most of the time as forced command, but now I had a task where it had to be used as shell) The wrapper currently only gets its paramete...
2005 Jun 09
1
need good wrapper
I'm having trouble with the rsync wrapper's I've found online: rsync_wrapper[8458]: SSH_ORIGINAL_COMMAND environment variable apparently not set rsync: connection unexpectedly closed (0 bytes read so far) rsync error: error in rsync protocol data stream (code 12) at io.c(189) I'm not sure if this is a problem of incompatibility between my RHES3 and the wrappers I've found or a problem I cou...
2017 Mar 08
2
Logging with ForceCommand and SCP
...# chroot'ing users into their home directories. # there's no way to "redirect" execution back into it, so the best we # can do is exec the old sftp-server instead, which will give the user a # working sftp session, but won't chroot them into their home directory. if [ "${SSH_ORIGINAL_COMMAND:-}" = "internal-sftp" ] then echo "substituting $SFTP_SERVER for internal SFTP service" >> $LOGFILE echo "========================================" >> $LOGFILE exec $SFTP_SERVER # if they're requesting the sftp server, this is an sftp command....
2012 Sep 11
1
setup git in my godaddy server
...export GIT_EXEC_PATH=${GIT_BIN}/libexec/git-core export PATH=/usr/local/bin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/var/chroot/home/content/88/9228188/bin:/var/chroot/home/content/88/9228188/libexec/git-core And i add following code in front of my ssh key command="if [[ "x${SSH_ORIGINAL_COMMAND}x" == "xx" ]]; then /bin/bash; else source ~/.bashrc; eval "${SSH_ORIGINAL_COMMAND}"; fi; " Finally in my local machine i create samplerepo.git and add index.html and git init and add remote by following successfully. git remote add origin name-NPUVrKOc7JbChlkuVnt...
2020 Oct 21
6
"Semi-Trusted" SSH-Keys that also require PAM login
...I was wondering whether anyone already had a similar problem and found a solution or whether anyone would have an idea on how to proceed. My thoughts go in the direction of still using authorized_keys and do something like command="/verify/pam/login/or/whatever/via/some/script.sh && $SSH_ORIGINAL_COMMAND" to use a script for external verification (allowing for any kind of additional checking, including PAM, but with a different configuration) and then continue the normal execution. Unfortunately, this has not worked for me. So, is there any solution for this? Might it be as simple as using...
2002 May 22
4
restricting rsync over ssh
Is it true that when running rsync via ssh (i.e. rsync -e ssh ...) the rsyncd.conf file is not applicable on the remote since rsync is launched via the ssh exec call once connected rather than from rsyncd as in a direct connect. If so, I am trying to find the best way to restrict rsync -e ssh on the remote machine. Prepending the authorized_keys entry with command='rsync ...' 1024...
2006 Aug 24
2
Passwordless SSH messes with escaped spaces
...things yet (like back quotes). Someone please tell me there is a really simple thing I'm missing here, before I waste more time to finish this script: #!/bin/sh # v0.1 2006-08-17 # Only allows "rsync --server --sender" but retains any escaped spaces in the arguments. # cmd="${SSH_ORIGINAL_COMMAND}" [ ! "${cmd:0:24}" = "rsync --server --sender " ] && exit 127 myself=${0##*/} set $cmd declare -a arr i=0 for a in $*; do arr[$i]="${arr[$i]:+${arr[$i]} }$1" if [ "${1%\\}" = "$1" ]; then i=$(($i+1)) else arr[$i]=&quo...
2023 Nov 12
2
restrict file transfer in rsync, scp, sftp?
...a-chroot *only* > when sftp is requested and allow rsync when rsync is requested and > allow rsync to work normally when rsync is requested. You can do this using a custom setuid shell or forcecommand (it needs to be setuid because chroot requires privileges). It can look at the contents of $SSH_ORIGINAL_COMMAND and decide on whether to run rsync or chroot then run sftp-server. It is possible to do this without setuid, but the forcecommand would need to live inside the ChrootDirectory along with everything else sftp-server and rsync needs. If you're on Linux, then maybe you could cook something up us...
2013 May 21
2
SSH users authentication depending on their public key.
...o manage interactive or non-interactive sessions but I don't know how to deal with sshfs/sftp use. Also according to me this is not an elegant solution but I wasn't able to find on other way until then. Here is my authorized_keys: command="sh -c 'SSH_KEY_USER=thomas /tmp/test.sh ${SSH_ORIGINAL_COMMAND:-}'" ssh-rsa publickey thomas at host.domain Here is the /tmp/test.sh script: #!/bin/bash # set -e # if [ ! -z $SSH_TTY ]; then /bin/bash -l elif [ ! -z $1 ]; then $* fi exit 0 Do you have any other solutions? Am I missing something ? Unfortunately I can't create one unix ac...
2023 Sep 19
1
Subsystem sftp invoked even though forced command created
...3 lab servers: OS OpenSSH version Ubuntu 18.04 OpenSSH_7.6p1 Ubuntu-4ubuntu0.7, OpenSSL 1.0.2n 7 Dec 2017 Solaris 11 OpenSSH_8.4p1, OpenSSL 1.0.2zf 21 Jun 2022 HP-UX 11.31 OpenSSH_8.1p1+sftpfilecontrol-v1.3-hpn14v20, OpenSSL 1.1.1d 10 Sep 2019 I got the following results: OS ssh sftp SSH_ORIGINAL_COMMAND Ubuntu 18.04 Hung waiting for input, pressed ^C Obtained sftp prompt. Not logged Solaris 11 Hung waiting for input, pressed ^C Hung waiting for input, pressed ^C Command: internal-sftp HP-UX 11.31 Hung waiting for input, pressed ^C Hung waiting for input, pressed ^C Command: /opt/ssh/libexec/sft...
2023 Nov 12
1
restrict file transfer in rsync, scp, sftp?
...t; when sftp is requested and allow rsync when rsync is requested and >> allow rsync to work normally when rsync is requested. > You can do this using a custom setuid shell or forcecommand (it needs > to be setuid because chroot requires privileges). It can look at > the contents of $SSH_ORIGINAL_COMMAND and decide on whether to run > rsync or chroot then run sftp-server. > > It is possible to do this without setuid, but the forcecommand would > need to live inside the ChrootDirectory along with everything else > sftp-server and rsync needs. > > If you're on Linux, then may...
2003 Jan 05
2
restricting rsync over ssh on the server side.
...f there's not already a way to do this, one possibility I had thought of is a ssh key command= wrapper, so that you could generate an ssh key like this: command="rsync-ssh-wrapper --root=/home/foo/bar --disable-delete",... and then when invoked rsync-ssh-wrapper would then look at SSH_ORIGINAL_COMMAND to see the actual incoming request (presuming there were any relevant options there; are rsync --server invocations documented anywhere?), and combine that with the wrapper options to decide how to invoke rsync --server. Of course this approach presumes that rsync --server would support suitable a...
2003 Mar 13
3
SSH command when uploading files
Hello I've searched quite a bit, but have so far been unsuccessful in finding an answer to a question I have concerning the upload of files via rsync over SSH. When downloading, I have been able to make use of SSH's benefits, yet still keep the rsync server safe from a shell accessible with a private SSH key lacking a passphrase by restricting the public key used by the rsync client to
2000 May 24
0
'command' option in authorized_keys
...ased with it, and find it superior to ssh-1.2.27 in many ways (thanks for the good work). I recently found one piece missing from the current release. I have used the 'command' option in the authorized_keys file to restrict access. Using ssh-1.2.27 the original command was placed in the SSH_ORIGINAL_COMMAND envrionment variable. If command is set to a wrapper script, it was able to parse contents of the variable, verify that any variable args are proper and legal, then execute a predefined program passing the appropriate args to that program. Without the environment variable there appears to be no w...
2023 Jul 05
1
Subsystem sftp invoked even though forced command created
...e receive.ksh script is faulty in some way that causes it to invoke > sftp-server How would the script even *know* that the client requested the SFTP subsystem? Is a subsystem's executable/path, supposedly internally overwritten with the forced command at that point, exposed through $SSH_ORIGINAL_COMMAND ? (As a quick preliminary check, I'd suggest doing a "ps auwwwx --forest" on the server while WinSCP has a "hacked" session open. If the sftp-server process turns out to be a child of the script, bingo. If not, the script could still be the culprit, but then we'd kno...
2018 Oct 18
1
Security issues when rsyncing directories as root
...sync to keep two directores on two servers in sync. Machine A, the "client" is the one where the rsync process is invoked, which then logs into Machine B, the "server" as root with ssh and a key. The key is restricted in /root/.ssh/authorized_keys to a script that checks wither $SSH_ORIGINAL_COMMAND matches the rsync --server command that I expect, such as, for example, rsync --server -re.iLsfxC --delete . /etc/dhcp/synced/ Unfortunately, this is rather restrictive and unflexible. Things would be easier if rsync would have an option like --restrict-write, making rsync not write anywhere outs...
2023 Jun 29
2
Subsystem sftp invoked even though forced command created
...ation is correct. To test the theory, I've slightly altered the forced command to output log data to indicate whether the forced command is even executed, and if so, what command line it was passed from the client (or WinSCP). The added code is as follows: LOGFILE=/tmp/name-of-file.log if [[ $SSH_ORIGINAL_COMMAND ]]; then print "Command: $SSH_ORIGINAL_COMMAND" >> $LOGFILE else print "No SSH_ORIGINAL COMMAND set" >> $LOGFILE fi I ran the client as is and received the following entry in the log: Command: 2>/dev/null I then set a flag in the client which removes the...
2023 Jul 03
1
Subsystem sftp invoked even though forced command created
...ot; \ > -o NumberOfPasswordPrompts=0 \ > ${User}@${Host} 2>/dev/null Then whatever executes this command line does *not* understand (and eat) the "2>/dev/null" like shells of the Bourne family should, hence it winding up in the server-side $SSH_ORIGINAL_COMMAND ... > debug1: server_input_channel_req: channel 0 request subsystem reply 1 > debug1: session_by_channel: session 0 channel 0 > debug1: session_input_channel_req: session 0 req subsystem > debug2: subsystem request for sftp by user m61586 > debug1: subsystem: exec() /usr/libexec/ope...