ProxyCommand not working if $SHELL not defined

Antonio Mignolli antonio.mignolli at yahoo.it
Fri Sep 18 01:02:11 EST 2009


Indeed, the only case is when someone manually set SHELL to an invalid value
after login, but I agree with you, it should not happen.
Maybe a debug message can be added, otherwise is difficult to undestand
where the error is.
Suppose: (I'm using proxyconnect)
# export SHELL=/tmp
# ssh host
/tmp: Permission denied

It is quite good, but maybe it would be better if a debug message
shows what's happening. I noticed execv or execl is without
errors control. The "Permission denied" above is given by execv.

The reason because the check "not executable" was added is because
a similar check is already present in auth.c for obvious login purposes in sshd.
In practice, the suggested check is the same as in auth.c.

2009/9/17 Ben Lindstrom <mouring at eviladmin.org>:
>
> How does one get into a case where they are allowed to be logged in, but
> they don't have a valid executable shell?  This seems like a very odd
> condition and one that shouldn't happen.
>
> - Ben
>
> On Sep 17, 2009, at 7:47 AM, Antonio Mignolli wrote:
>
>> Ok, but the case with a not valid shell (non executable)
>> is not covered.
>> It is also a user (or sysadm) fault, though, if SHELL is not
>> properly set.
>>
>> Bye.
>>
>> 2009/9/17 Damien Miller <djm at mindrot.org>:
>>>
>>> On Thu, 17 Sep 2009, Antonio Mignolli wrote:
>>>
>>>> Maybe the mailing list cuts the attachments.
>>>
>>> Yes, we strip pretty much everything but text/plain to avoid spam and
>>> malware.
>>>
>>>> patch.openssh-5.2p1.SHELLfix:
>>>>
>>>> 8<-----------------------------------------------------------------
>>>> Common subdirectories: openssh-5.2p1/contrib and
>>>> openssh-5.2p1.new/contrib
>>>> diff -NupwB openssh-5.2p1/misc.c openssh-5.2p1.new/misc.c
>>>> --- openssh-5.2p1/misc.c      2009-02-21 22:47:02.000000000 +0100
>>>> +++ openssh-5.2p1.new/misc.c  2009-09-16 02:21:11.000000000 +0200
>>>> @@ -849,3 +849,29 @@ ms_to_timeval(struct timeval *tv, int ms
>>>>      tv->tv_usec = (ms % 1000) * 1000;
>>>>  }
>>>>
>>>> +/*
>>>> + * Get shell from env or use default '/bin/sh'
>>>> + */
>>>> +char *
>>>> +get_shell_from_env()
>>>
>>> ...
>>>
>>> I think that this is quite overcomplicated. This is probably sufficient.
>>>
>>> Index: sftp.c
>>> ===================================================================
>>> RCS file: /cvs/src/usr.bin/ssh/sftp.c,v
>>> retrieving revision 1.111
>>> diff -u -p -r1.111 sftp.c
>>> --- sftp.c      18 Aug 2009 18:36:21 -0000      1.111
>>> +++ sftp.c      17 Sep 2009 12:26:04 -0000
>>> @@ -236,7 +236,7 @@ local_do_shell(const char *args)
>>>       if (!*args)
>>>               args = NULL;
>>>
>>> -       if ((shell = getenv("SHELL")) == NULL)
>>> +       if ((shell = getenv("SHELL")) == NULL || *shell == '\0')
>>>               shell = _PATH_BSHELL;
>>>
>>>       if ((pid = fork()) == -1)
>>> Index: sshconnect.c
>>> ===================================================================
>>> RCS file: /cvs/src/usr.bin/ssh/sshconnect.c,v
>>> retrieving revision 1.214
>>> diff -u -p -r1.214 sshconnect.c
>>> --- sshconnect.c        28 May 2009 16:50:16 -0000      1.214
>>> +++ sshconnect.c        17 Sep 2009 12:26:05 -0000
>>> @@ -76,7 +76,7 @@ ssh_proxy_connect(const char *host, u_sh
>>>       pid_t pid;
>>>       char *shell, strport[NI_MAXSERV];
>>>
>>> -       if ((shell = getenv("SHELL")) == NULL)
>>> +       if ((shell = getenv("SHELL")) == NULL || *shell == '\0')
>>>               shell = _PATH_BSHELL;
>>>
>>>       /* Convert the port number into a string. */
>>> @@ -1148,7 +1148,7 @@ ssh_local_cmd(const char *args)
>>>           args == NULL || !*args)
>>>               return (1);
>>>
>>> -       if ((shell = getenv("SHELL")) == NULL)
>>> +       if ((shell = getenv("SHELL")) == NULL || *shell == '\0')
>>>               shell = _PATH_BSHELL;
>>>
>>>       pid = fork();
>>>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


More information about the openssh-unix-dev mailing list