Displaying 20 results from an estimated 55 matches for "ssh_original_command".
2014 Feb 05
1
Make SSH_ORIGINAL_COMMAND available in AuthorizedKeysCommand context
Hi
Using SSH_ORIGINAL_COMMAND in AuthorizedKeys is so helpful, I'd like to
know if it might be possible to access it in the AuthorizedKeysCommand
context (via env ?). Is this possible ? can anybody give me advice on
going into this ?
If possible, I'll use this SSH_ORIGINAL_COMMAND to send client specifics
information...
2014 Jul 08
2
[Bug 2253] New: No "$@"-like SSH_ORIGINAL_COMMAND leads to escaping, arg-sep and metachar issues
https://bugzilla.mindrot.org/show_bug.cgi?id=2253
Bug ID: 2253
Summary: No "$@"-like SSH_ORIGINAL_COMMAND leads to escaping,
arg-sep and metachar issues
Product: Portable OpenSSH
Version: 6.6p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Ass...
2005 May 11
0
SSH_ORIGINAL_COMMAND and no forced command
i just noticed that the env. variable SSH_ORIGINAL_COMMAND is no more
set if there is no forced command.
was there a reason to do so?
Background:
I'm using a wrapper that can be used as forced command and as shell.
(most of the time as forced command, but now I had a task where it had
to be used as shell)
The wrapper currently only gets its paramete...
2005 Jun 09
1
need good wrapper
I'm having trouble with the rsync wrapper's I've found online:
rsync_wrapper[8458]: SSH_ORIGINAL_COMMAND environment variable
apparently not set
rsync: connection unexpectedly closed (0 bytes read so far)
rsync error: error in rsync protocol data stream (code 12) at io.c(189)
I'm not sure if this is a problem of incompatibility between my RHES3
and the wrappers I've found or a problem I cou...
2017 Mar 08
2
Logging with ForceCommand and SCP
...# chroot'ing users into their home directories.
# there's no way to "redirect" execution back into it, so the best we
# can do is exec the old sftp-server instead, which will give the user a
# working sftp session, but won't chroot them into their home directory.
if [ "${SSH_ORIGINAL_COMMAND:-}" = "internal-sftp" ]
then
echo "substituting $SFTP_SERVER for internal SFTP service" >> $LOGFILE
echo "========================================" >> $LOGFILE
exec $SFTP_SERVER
# if they're requesting the sftp server, this is an sftp command....
2012 Sep 11
1
setup git in my godaddy server
...export GIT_EXEC_PATH=${GIT_BIN}/libexec/git-core
export
PATH=/usr/local/bin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/var/chroot/home/content/88/9228188/bin:/var/chroot/home/content/88/9228188/libexec/git-core
And i add following code in front of my ssh key
command="if [[ "x${SSH_ORIGINAL_COMMAND}x" == "xx" ]]; then /bin/bash; else
source ~/.bashrc; eval "${SSH_ORIGINAL_COMMAND}"; fi; "
Finally in my local machine i create samplerepo.git and add index.html and
git init and add remote by following successfully.
git remote add origin name-NPUVrKOc7JbChlkuVnt...
2020 Oct 21
6
"Semi-Trusted" SSH-Keys that also require PAM login
...I was wondering whether anyone already had
a similar problem and found a solution or whether anyone would have an idea on how to proceed.
My thoughts go in the direction of still using authorized_keys and do something like
command="/verify/pam/login/or/whatever/via/some/script.sh && $SSH_ORIGINAL_COMMAND"
to use a script for external verification (allowing for any kind of additional checking, including PAM, but with a
different configuration) and then continue the normal execution.
Unfortunately, this has not worked for me.
So, is there any solution for this? Might it be as simple as using...
2002 May 22
4
restricting rsync over ssh
Is it true that when running rsync via ssh (i.e. rsync -e ssh ...) the
rsyncd.conf file is not applicable on the remote since rsync is launched
via the ssh exec call once connected rather than from rsyncd as in a
direct connect.
If so, I am trying to find the best way to restrict rsync -e ssh on the
remote machine. Prepending the authorized_keys entry with
command='rsync ...' 1024...
2006 Aug 24
2
Passwordless SSH messes with escaped spaces
...things yet
(like back quotes). Someone please tell me there is a really simple thing
I'm missing here, before I waste more time to finish this script:
#!/bin/sh
# v0.1 2006-08-17
# Only allows "rsync --server --sender" but retains any escaped spaces in
the arguments.
#
cmd="${SSH_ORIGINAL_COMMAND}"
[ ! "${cmd:0:24}" = "rsync --server --sender " ] && exit 127
myself=${0##*/}
set $cmd
declare -a arr
i=0
for a in $*; do
arr[$i]="${arr[$i]:+${arr[$i]} }$1"
if [ "${1%\\}" = "$1" ]; then
i=$(($i+1))
else
arr[$i]=&quo...
2023 Nov 12
2
restrict file transfer in rsync, scp, sftp?
...a-chroot *only*
> when sftp is requested and allow rsync when rsync is requested and
> allow rsync to work normally when rsync is requested.
You can do this using a custom setuid shell or forcecommand (it needs
to be setuid because chroot requires privileges). It can look at
the contents of $SSH_ORIGINAL_COMMAND and decide on whether to run
rsync or chroot then run sftp-server.
It is possible to do this without setuid, but the forcecommand would
need to live inside the ChrootDirectory along with everything else
sftp-server and rsync needs.
If you're on Linux, then maybe you could cook something up us...
2013 May 21
2
SSH users authentication depending on their public key.
...o manage interactive or non-interactive sessions but I
don't know how to deal with sshfs/sftp use.
Also according to me this is not an elegant solution but I wasn't able
to find on other way until then.
Here is my authorized_keys:
command="sh -c 'SSH_KEY_USER=thomas /tmp/test.sh
${SSH_ORIGINAL_COMMAND:-}'" ssh-rsa publickey thomas at host.domain
Here is the /tmp/test.sh script:
#!/bin/bash
#
set -e
#
if [ ! -z $SSH_TTY ]; then
/bin/bash -l
elif [ ! -z $1 ]; then
$*
fi
exit 0
Do you have any other solutions? Am I missing something ?
Unfortunately I can't create one unix ac...
2023 Sep 19
1
Subsystem sftp invoked even though forced command created
...3 lab servers:
OS OpenSSH version
Ubuntu 18.04 OpenSSH_7.6p1 Ubuntu-4ubuntu0.7, OpenSSL 1.0.2n 7 Dec 2017
Solaris 11 OpenSSH_8.4p1, OpenSSL 1.0.2zf 21 Jun 2022
HP-UX 11.31 OpenSSH_8.1p1+sftpfilecontrol-v1.3-hpn14v20, OpenSSL 1.1.1d 10 Sep 2019
I got the following results:
OS ssh sftp SSH_ORIGINAL_COMMAND
Ubuntu 18.04 Hung waiting for input, pressed ^C Obtained sftp prompt. Not logged
Solaris 11 Hung waiting for input, pressed ^C Hung waiting for input, pressed ^C Command: internal-sftp
HP-UX 11.31 Hung waiting for input, pressed ^C Hung waiting for input, pressed ^C Command: /opt/ssh/libexec/sft...
2023 Nov 12
1
restrict file transfer in rsync, scp, sftp?
...t; when sftp is requested and allow rsync when rsync is requested and
>> allow rsync to work normally when rsync is requested.
> You can do this using a custom setuid shell or forcecommand (it needs
> to be setuid because chroot requires privileges). It can look at
> the contents of $SSH_ORIGINAL_COMMAND and decide on whether to run
> rsync or chroot then run sftp-server.
>
> It is possible to do this without setuid, but the forcecommand would
> need to live inside the ChrootDirectory along with everything else
> sftp-server and rsync needs.
>
> If you're on Linux, then may...
2003 Jan 05
2
restricting rsync over ssh on the server side.
...f there's not already a way to do this, one possibility I had thought
of is a ssh key command= wrapper, so that you could generate an ssh
key like this:
command="rsync-ssh-wrapper --root=/home/foo/bar --disable-delete",...
and then when invoked rsync-ssh-wrapper would then look at
SSH_ORIGINAL_COMMAND to see the actual incoming request (presuming
there were any relevant options there; are rsync --server invocations
documented anywhere?), and combine that with the wrapper options to
decide how to invoke rsync --server. Of course this approach presumes
that rsync --server would support suitable a...
2003 Mar 13
3
SSH command when uploading files
Hello
I've searched quite a bit, but have so far been unsuccessful in finding an
answer to a question I have concerning the upload of files via rsync over
SSH.
When downloading, I have been able to make use of SSH's benefits, yet still
keep the rsync server safe from a shell accessible with a private SSH key
lacking a passphrase by restricting the public key used by the rsync client
to
2000 May 24
0
'command' option in authorized_keys
...ased with it, and find it
superior to ssh-1.2.27 in many ways (thanks for the good work).
I recently found one piece missing from the current release. I have used
the 'command' option in the authorized_keys file to restrict access. Using
ssh-1.2.27 the original command was placed in the SSH_ORIGINAL_COMMAND
envrionment variable. If command is set to a wrapper script, it was able
to parse contents of the variable, verify that any variable args are proper
and legal, then execute a predefined program passing the appropriate args
to that program. Without the environment variable there appears to be no
w...
2023 Jul 05
1
Subsystem sftp invoked even though forced command created
...e receive.ksh script is faulty in some way that causes it to invoke
> sftp-server
How would the script even *know* that the client requested the SFTP
subsystem? Is a subsystem's executable/path, supposedly internally
overwritten with the forced command at that point, exposed through
$SSH_ORIGINAL_COMMAND ?
(As a quick preliminary check, I'd suggest doing a "ps auwwwx --forest"
on the server while WinSCP has a "hacked" session open. If the
sftp-server process turns out to be a child of the script, bingo. If
not, the script could still be the culprit, but then we'd kno...
2018 Oct 18
1
Security issues when rsyncing directories as root
...sync to keep two directores on two servers in sync. Machine
A, the "client" is the one where the rsync process is invoked, which
then logs into Machine B, the "server" as root with ssh and a key. The
key is restricted in /root/.ssh/authorized_keys to a script that checks
wither $SSH_ORIGINAL_COMMAND matches the rsync --server command that I
expect, such as, for example,
rsync --server -re.iLsfxC --delete . /etc/dhcp/synced/
Unfortunately, this is rather restrictive and unflexible.
Things would be easier if rsync would have an option like
--restrict-write, making rsync not write anywhere outs...
2023 Jun 29
2
Subsystem sftp invoked even though forced command created
...ation is correct.
To test the theory, I've slightly altered the forced command to output log data to indicate whether the forced command is even executed, and if so, what command line it was passed from the client (or WinSCP). The added code is as follows:
LOGFILE=/tmp/name-of-file.log
if [[ $SSH_ORIGINAL_COMMAND ]]; then
print "Command: $SSH_ORIGINAL_COMMAND" >> $LOGFILE
else
print "No SSH_ORIGINAL COMMAND set" >> $LOGFILE
fi
I ran the client as is and received the following entry in the log:
Command: 2>/dev/null
I then set a flag in the client which removes the...
2023 Jul 03
1
Subsystem sftp invoked even though forced command created
...ot; \
> -o NumberOfPasswordPrompts=0 \
> ${User}@${Host} 2>/dev/null
Then whatever executes this command line does *not* understand (and eat)
the "2>/dev/null" like shells of the Bourne family should, hence it
winding up in the server-side $SSH_ORIGINAL_COMMAND ...
> debug1: server_input_channel_req: channel 0 request subsystem reply 1
> debug1: session_by_channel: session 0 channel 0
> debug1: session_input_channel_req: session 0 req subsystem
> debug2: subsystem request for sftp by user m61586
> debug1: subsystem: exec() /usr/libexec/ope...