Subsystem sftp invoked even though forced command created

Jochen Bern Jochen.Bern at binect.de
Fri Jul 7 22:27:55 AEST 2023


On 06.07.23 23:37, MCMANUS, MICHAEL P wrote:> So changing the forced 
command as stated will break the application. I
> would need to create a test bed to simulate the listener rather than
> use the server as is, where is. That may produce false or misleading
> results.
Since the forced command is tied to the specific keypair in the 
authorized_keys, you could
-- test with a different keypair or
-- use an additional 'from="..."' option to split the entry between your
    test client and the productive clients.

> Oddly enough, the same behavior occurs when the embedded key is used
> to launch an interactive sftp session from the host running the
> legitimate client:
> 
> # sftp -i ${embeddedKey} ${user}@${host}
> <Standard warning from /etc/issue.net>
> Connected to ${host}.
> sftp> ls
> README              collectors          receive-data.ksh    tmp
> sftp> ^D
> So we can probably write off any idiosyncrasies of WinSCP and work only
> with OpenSSH. Note there is no output from the script whatsoever.

In that case, let me repeat my quick test on one of our systems ... :

> [root ~]# cat /etc/centos-release
> CentOS Linux release 7.9.2009 (Core)
> [root ~]# rpm -q openssh
> openssh-7.4p1-22.el7_9.x86_64
> [root ~]# tail -1 ~autoquest/.ssh/authorized_keys | sed -e 's/AAA.*/.../'
> restrict,from="127.0.0.1",command="/bin/logger -t AutoHack" ssh-rsa ...
> [root ~]# ssh-keygen -l -f /home/autoquest/.ssh/authorized_keys | tail -1
> 4096 SHA256:NSG4SRm/sLQxX4Xc5lQiMc3Q9S5j0Vavp7gu+voAwhI CNG-000121900000-010098-01 (RSA)
> [root ~]# ssh-keygen -l -f /home/bongo/.ssh/*.pub
> 4096 SHA256:NSG4SRm/sLQxX4Xc5lQiMc3Q9S5j0Vavp7gu+voAwhI CNG-000121900000-010098-01 (RSA)
> [root ~]# su -l -s /bin/bash bongo
> [bongo ~]$ echo "foo bar baz" | sftp autoquest at 127.0.0.1
[... confirm host keypair, output of /etc/issue.net ... then it just 
hangs ...]
> ^CKilled by signal 15.
> [bongo ~]$ exit
> logout
> [root ~]# journalctl -t AutoHack
> -- Logs begin at Thu 2023-06-22 11:07:33 CEST, end at Fri 2023-07-07 14:20:35 CEST. --
> Jul 07 14:19:35 cng-000121900000-010098-01 AutoHack[15837]: 

... no SFTP login, but also no stdin being logged ...

Kind regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20230707/142c0374/attachment.p7s>


More information about the openssh-unix-dev mailing list