Subsystem sftp invoked even though forced command created
MCMANUS, MICHAEL P
mm1072 at att.com
Sat Jul 1 01:56:16 AEST 2023
The value of $SSH_ORIGINAL_COMMAND (which is what is being logged here) reflects the fact that no command is present on the client's ssh command line. The script relies on the forced command (which is supposed to ignore the client command line otherwise and pass the value of $SSH_ORIGINAL_COMMAND on to the forced command script).
The actual command is similar to the following (parameters inserted to protect the source):
(print ${FQDN} ; print ${Environment} ; cat ${OutFileXML}) | \
ssh -Ti ${EmbeddedPrivateKey} \
-o HostKeyAlias="${Alias}" \
-o GlobalKnownHostsFile="${EmbeddedKnownHosts}" \
-o UserKnownHostsFile="${ClientSpecificKnownHosts}" \
-o StrictHostKeyChecking="yes" \
-o CheckHostIP="no" \
-o NumberOfPasswordPrompts=0 \
${User}@${Host} 2>/dev/null
-----Original Message-----
From: Jochen Bern <Jochen.Bern at binect.de>
Sent: Friday, June 30, 2023 1:12 AM
To: openssh-unix-dev at mindrot.org
Cc: MCMANUS, MICHAEL P <mm1072 at att.com>
Subject: Re: Subsystem sftp invoked even though forced command created
On 30.06.23 00:06, MCMANUS, MICHAEL P wrote:
> An authorized penetration tester brought to my attention that the private
> key embedded in the application can be extracted and used to launch a
> WinSCP session against the user ID which the client uses to send the data
> to the server.
As it happens, I have a system using dedicated keypairs and forced
commands configured for them to extract survey data from CentOS 7 boxes,
so let me try that ...
> $ ssh -t -q autoquest at bongo -p 29056 -i .ssh/id_uptime_ed25519
> 1688110066
> 1684949224
> 685215
> 0
> $ sftp -P 29056 -i .ssh/id_uptime_ed25519 -q autoquest at bongo
> Received message too long 825636920
Hm. Some specific quirk of WinSCP, maybe ... ?
[grabs Win10 box] [updates WinSCP to 6.1.1] [adds keypair to both ends]
... gets me an error (-> screenshot) suggesting that it received the
output from the forced command, and logs that the sshd has indeed run
the forced command. Sorry, cannot confirm so far ...
> I ran the client as is and received the following entry in the log:
> Command: 2>/dev/null
That's a weird, I'd even say nonfunctional, remote command, and makes me
suspect that your ssh command has a syntax problem ... ?
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
More information about the openssh-unix-dev
mailing list