OpenSSH - forced command - no-pty issue

Kumaresh kumaresh_ind at gmx.net
Wed Dec 31 22:50:58 EST 2003


Hello All,

I would like to get some inputs on forced commands feature with "no-pty" and
"ptY" situations.

We have an issue where forced commands are left hanging on the sshd server
running whenever the ssh client disconnects.  My application uses a "forced
command" to restrict the actions that a user can execute on the server. This
is achieved with the help of  a script and this is used as forced command in
the .ssh/authorized_keys2 file. The client is a PuTTY client and we
established a connection (ssh-2) session to the server. The script is
invoked and runs fine. However, if the user decides to forcefully terminate
the client session, by closing the PuTTY session, the script is left hanging
on the server. The sshd process associated with the connection closed, but
the command or the script still hangs without knowing that the sshd is
killed.

Below are traces illustrating the above using a simple 'sleep' command as
the forced command.  We used OpenSSH-3.6.1p2 client and server.

// in the .ssh/authorized_keys2 on the server
command="sleep 333",no-pty,no-port-forwarding ssh-rsa ....

// after client has established ssh-2 connection to server
#ps -ef | grep 4434
root      4434  8441  0 1:20 ?        00:00:00 /usr/sbin/sshd
root      8409  4434  0 1:20 ?        00:00:00 sleep 333   <------- the
forced command

// after client forcefully terminated:
# ps -ef | grep sl
root      8409     1  0 1:20 ?        00:00:00 sleep 333    <-------- pid
4434 is gone, and pid 8409 (the forced command) has been adopted by root
process

When tried with rsh, this is not the case. The command [sleep] closed on the
server immediately when the client session is closed.
Is there a way, which we can notify and kill  the commands or child
processes when the sshd is terminated.?

When the "no-pty" is removed from the forced command the command did not
hang. But, I want to restrict the users from getting interactive shell, so I
need this "no-pty".

Advance thanks,
Kumar


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.520 / Virus Database: 318 - Release Date: 9/18/2003




More information about the openssh-unix-dev mailing list