Multiple forced commands being executed

Oliver Beattie oliver at obeattie.com
Tue Feb 1 20:52:36 EST 2011


Hi,

Sorry to post this here again, I already posted it in the users
mailing list but haven't got very far. I really need to get this
resolved ASAP, as it's causing a big security headache for us. If
anyone can help that would be wonderful. The original thread is here:
http://marc.info/?l=secure-shell&m=129562817820176&w=2

I am having a very strange problem with SSH. Essentially, I'm using
forced commands to restrict access based on public key (there are
around 2000 public keys). It appears to work okay, but when I look at
the ssh -v output I see that the client/server is actually executing
all the forced commands for RSA keys (I am connecting with an RSA key)
until it "hits" my key.

Anyone have any idea why this is happening? I have no clue where to
even look for hints as to what would cause this…

Here's an example of the output I am seeing (condensed, the real
output is ~3000 lines):

OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
debug1: Authentication succeeded (publickey).
debug2: fd 5 setting O_NONBLOCK
debug2: fd 6 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting no-more-sessions at openssh.com
debug1: Entering interactive session.
debug1: Remote: Forced command: gitosis-serve osjokine
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
[... hundreds more like this ...]
debug1: Remote: Forced command: gitosis-serve obeattie
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Remote: Forced command: gitosis-serve osjokine
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
[... hundreds more again ...]
debug1: Remote: Forced command: gitosis-serve obeattie
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug2: callback start

—Oliver


More information about the openssh-unix-dev mailing list