[Bug 3290] New: ControlPersist opens shell even with -N
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Mar 30 09:32:11 AEDT 2021
https://bugzilla.mindrot.org/show_bug.cgi?id=3290
Bug ID: 3290
Summary: ControlPersist opens shell even with -N
Product: Portable OpenSSH
Version: 8.5p1
Hardware: amd64
OS: All
Status: NEW
Severity: minor
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: bugzillamindroto-mzk3bxkyqa at central-intelligence.agenc
y
I'm trying to use an SSH tunnel through a host that only allows local
port forwarding, nothing else.
For reproducibility purposes the example in this report uses a pretty
much default ssh configuration with the users shell being a shell
script echoing that the user isn't supposed to login and then exits.
As I'm defaulting to using ControlMaster and ControlPersist in my
ssh_config I came across this, as it effectively makes this connection
impossible to use unless ControlMaster and ControlPath are explicitly
disabled for this destination.
A working example would be
ssh -F /dev/null -vvv -N -o ControlMaster=auto -o ControlPath=~/cptest
localhost
In this case I can open a connection and nothing happens, as expected.
Adding a port forward with -L works fine too and I can reach the
intended destination. Great.
Once I add ControlPersist to this command however it breaks:
ssh -F /dev/null -vvv -N -o ControlMaster=auto -o ControlPath=~/cptest
-o ControlPersist=5 localhost
Leading up to the exit I find this in the SSH logs (some lines
omitted):
debug2: channel 2: request shell confirm 1
debug2: shell request accepted on channel 2
This is not a real shell, you are not supposed to login.
debug1: client_input_channel_req: channel 2 rtype exit-status reply 0
debug3: mux_exit_message: channel 2: exit message, exitval 0
The message is coming from the users shell.
The ControlMaster keeps running in the background until ControlPersist
times out. I can also verify that it still has a working session as I
can access a -L forwarded port before it's closing the ControlMaster
session.
Client and server config as well as -vvv client logs of both scenarios
are attached.
Tested on 8.1 (macOS), 8.2 (Linux) and 8.5 (Linux).
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list