Multiple forced commands being executed

Oliver Beattie oliver at obeattie.com
Tue Feb 1 22:08:18 EST 2011


Hi Darren,

Thanks so much for getting back to me. Yes, you're absolutely right,
on the server only the "proper" command gets executed. However, it is
a security problem for us to reveal all/many of the usernames that can
potentially access these machine(s). Is there some way we can prevent
this from being sent to the client?

—Oliver



On 1 February 2011 12:45, Darren Tucker <dtucker at zip.com.au> wrote:
> On 1/02/11 8:52 PM, Oliver Beattie wrote:
>>
>> Hi,
>>
>> Sorry to post this here again, I already posted it in the users
>> mailing list but haven't got very far. I really need to get this
>> resolved ASAP, as it's causing a big security headache for us. If
>> anyone can help that would be wonderful. The original thread is here:
>> http://marc.info/?l=secure-shell&m=129562817820176&w=2
>>
>> I am having a very strange problem with SSH. Essentially, I'm using
>> forced commands to restrict access based on public key (there are
>> around 2000 public keys). It appears to work okay, but when I look at
>> the ssh -v output I see that the client/server is actually executing
>> all the forced commands for RSA keys (I am connecting with an RSA key)
>> until it "hits" my key.
>>
>> Anyone have any idea why this is happening? I have no clue where to
>> even look for hints as to what would cause this…
>
> Do you actually see the command being executed?  Looking at the code, that
> output is just from the option parser, not the actual execution (in
> auth-options.c:auth_parse_options()).   The forced command that is actually
> executed gets logged on the server side as "Forced command (key option) "
> (at loglevel debug and above, in session.c).
>
> If you are actually seeing the command executed multiple times, could you
> please post a small sample of the authorized_keys file (feel free to elide
> the actual keys).
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>    Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>


More information about the openssh-unix-dev mailing list