'command' option in authorized_keys

Lee Eakin Leakin at dfw.nostrum.com
Thu May 25 04:32:01 EST 2000

I am a recent convert to openssh.  I am very pleased with it, and find it
superior to ssh-1.2.27 in many ways (thanks for the good work).

I recently found one piece missing from the current release.  I have used
the 'command' option in the authorized_keys file to restrict access.  Using 
ssh-1.2.27 the original command was placed in the SSH_ORIGINAL_COMMAND
envrionment variable.  If command is set to a wrapper script, it was able
to parse contents of the variable, verify that any variable args are proper
and legal, then execute a predefined program passing the appropriate args
to that program.  Without the environment variable there appears to be no
way to access the original command.

It appears only 3 lines are needed to enable this feature.  The diff is
included below.  Note that this diff applies to the portable version after
./configure --with-tcp-wrappers --with-ipv4-default has run on a Linux box.
My initials are included at the end of each added line to make them easy to
spot (this is my personal convention for marking my changes, the code is
almost verbatim from ssh-1.2.26, I do not claim any credit).

Please consider this addition with all proper security review.  This is a
suggestion and example.  It works, but may have security implications.

diff -u openssh-2.1.0p2/session.c.orig openssh-2.1.0p2/session.c
--- openssh-2.1.0p2/session.c.orig	Fri May 19 21:49:31 2000
+++ openssh-2.1.0p2/session.c	Wed May 24 12:56:12 2000
@@ -96,6 +96,7 @@
 /* RSA authentication "command=" option. */
 char *forced_command = NULL;
+char *original_command = NULL;  /* original command from protocol. */ /* LEE */
 /* RSA authentication "environment=" options. */
 struct envstring *custom_environment = NULL;
@@ -343,6 +344,7 @@
 				packet_integrity_check(plen, 0, type);
 			if (forced_command != NULL) {
+				original_command = command;
 				command = forced_command;
 				debug("Forced command '%.500s'", forced_command);
@@ -911,6 +913,8 @@
 		child_set_env(&env, &envsize, "TERM", term);
 	if (display)
 		child_set_env(&env, &envsize, "DISPLAY", display);
+	if (original_command) /* LEE */
+		child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", original_command); /* LEE */
 #ifdef _AIX

    Lee Eakin - leakin at ti.com - Naming Services, Texas Instruments   -o)
                [ permanent e-mail: Lee at Eakin.Org ]                  /\\
echo "forgot::0:0::/:/bin/sh" >> /etc/passwd; echo "If you forgot your
password, then login as 'forgot' with no password, and do "passwd
<yourlogin>" >> /etc/issue   --nolander at NOLANDER.PP.SE

More information about the openssh-unix-dev mailing list