Subsystem sftp invoked even though forced command created
Jochen Bern
Jochen.Bern at binect.de
Fri Jun 30 18:11:44 AEST 2023
On 30.06.23 00:06, MCMANUS, MICHAEL P wrote:
> An authorized penetration tester brought to my attention that the private
> key embedded in the application can be extracted and used to launch a
> WinSCP session against the user ID which the client uses to send the data
> to the server.
As it happens, I have a system using dedicated keypairs and forced
commands configured for them to extract survey data from CentOS 7 boxes,
so let me try that ...
> $ ssh -t -q autoquest at bongo -p 29056 -i .ssh/id_uptime_ed25519
> 1688110066
> 1684949224
> 685215
> 0
> $ sftp -P 29056 -i .ssh/id_uptime_ed25519 -q autoquest at bongo
> Received message too long 825636920
Hm. Some specific quirk of WinSCP, maybe ... ?
[grabs Win10 box] [updates WinSCP to 6.1.1] [adds keypair to both ends]
... gets me an error (-> screenshot) suggesting that it received the
output from the forced command, and logs that the sshd has indeed run
the forced command. Sorry, cannot confirm so far ...
> I ran the client as is and received the following entry in the log:
> Command: 2>/dev/null
That's a weird, I'd even say nonfunctional, remote command, and makes me
suspect that your ssh command has a syntax problem ... ?
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20230630/2ca4271d/attachment.p7s>
More information about the openssh-unix-dev
mailing list