[Bug 3486] New: SSH_ORIGINAL_COMMAND does not contan the original command anymore

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Oct 19 22:39:43 AEDT 2022


https://bugzilla.mindrot.org/show_bug.cgi?id=3486

            Bug ID: 3486
           Summary: SSH_ORIGINAL_COMMAND does not contan the original
                    command anymore
           Product: Portable OpenSSH
           Version: 9.0p1
          Hardware: Other
                OS: Cygwin on NT/2k/Win7-11
            Status: NEW
          Severity: security
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: martin.rupp at nefkom.net

For some time ago I used the the possiblity to see the original command
in the variable SSH_ORIGINAL_COMMAND. It worked very good.

E.g. if a user used a scp command to copy a file to target directory I
was able to see that the user has invoked the scp command I was able to
see the target directory in the variable SSH_ORIGNAL_COMMAND.

To evaluate the content of the SSH_ORIGINAL_COMMAND I have created a
script to check if the user executes really this scp command and it was
also possible to check if the target directory is the right one.

In newer versions of sshd the variable contains only
"/usr/sbin/sftp-server" or "internal-sftp", dependent on the assignment
of the "Subsystem"  definition in the /etc/sshd_config-file.

It was really a good method to ensure that user use really the scp
command and doesn't use other targets (e.g. .ssh/authorized_key).

How can I get back the behaviour of sshd, that SSH_ORIGNAL_COMMAND
contains really the orginal command (with some changes, because the
variable contained in the past "scp -t <target-folder/target-file>"
instead of the really command. but this was sufficient to see the
important things like command and target folder.

I am able to disable all other security concerns via no-pty etc.

But I cannot ensure that the user really use only the foreseen folder.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list