Discussion:
Multiple forced commands being executed
(too old to reply)
Oliver Beattie
2011-01-20 23:49:57 UTC
Permalink
Hi there,

I am having a very strange problem with SSH. Essentially, I'm using
forced commands to restrict access based on public key (there are
around 2000 public keys). It appears to work okay, but when I look at
the ssh -v output I see that the client/server is actually executing
all the forced commands for RSA keys (I am connecting with an RSA key)
until it "hits" my key.

Anyone have any idea why this is happening? I have no clue where to
even look for hints as to what would cause this…

Here's an example of the output I am seeing (condensed, the real
output is ~3000 lines):

OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
debug1: Authentication succeeded (publickey).
debug2: fd 5 setting O_NONBLOCK
debug2: fd 6 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting no-more-***@openssh.com
debug1: Entering interactive session.
debug1: Remote: Forced command: gitosis-serve osjokine
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
[... hundreds more like this ...]
debug1: Remote: Forced command: gitosis-serve obeattie
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Remote: Forced command: gitosis-serve osjokine
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
[... hundreds more again ...]
debug1: Remote: Forced command: gitosis-serve obeattie
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug2: callback start

—Oliver
Dominik George
2011-01-22 10:50:41 UTC
Permalink
Hi Oliver,

oh, sure, I didn't exactly get that. I wil ltry to reproduce that ...

- -nik
Hi Dominik,
Thanks for your reply, but I'm not sure I've properly explained
what I mean. In essence, from what I can see, it isn't just
executing the forced command for the key that is being used, it
executes the commands for *every* RSA key in the authorized_keys
file, meaning I get hundreds of commands being run for each login.
The program is itself checking the $SSH_ORIGINAL_KEY.
Hope this explains it better.
—Oliver
Hi Oliver,
this is essentially the point of the forced commands. SSH will
execute them, no matter what the client actually provides as a
command.
If you instead want to jsut verify if the command is allowed, you
will need a wrapper script as forced command that checks the
$SSH_ORIGINAL_COMMAND environment variable and then decides what
to do.
Again, the forced-commands-only is for forcing a command, not
for verifying it.
-nik
Post by Oliver Beattie
Hi there,
I am having a very strange problem with SSH. Essentially, I'm
using forced commands to restrict access based on public key
(there are around 2000 public keys). It appears to work okay,
but when I look at the ssh -v output I see that the
client/server is actually executing all the forced commands for
RSA keys (I am connecting with an RSA key) until it "hits" my
key.
Anyone have any idea why this is happening? I have no clue
where to even look for hints as to what would cause this…
Here's an example of the output I am seeing (condensed, the
OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009 debug1: Authentication
fd 6 setting O_NONBLOCK debug1: channel 0: new
[client-session] debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open debug1: Requesting
session. debug1: Remote: Forced command: gitosis-serve
Remote: X11 forwarding disabled. debug1: Remote: Agent
forwarding disabled. debug1: Remote: Pty allocation disabled.
[... hundreds more like this ...] debug1: Remote: Forced
command: gitosis-serve obeattie debug1: Remote: Port forwarding
Remote: Agent forwarding disabled. debug1: Remote: Pty
gitosis-serve osjokine debug1: Remote: Port forwarding
Remote: Agent forwarding disabled. debug1: Remote: Pty
Port forwarding disabled. debug1: Remote: X11 forwarding
Remote: Pty allocation disabled. debug2: callback start
—Oliver
Dominik George
2011-01-22 10:24:31 UTC
Permalink
Hi Oliver,

this is essentially the point of the forced commands. SSH will execute
them, no matter what the client actually provides as a command.

If you instead want to jsut verify if the command is allowed, you will
need a wrapper script as forced command that checks the
$SSH_ORIGINAL_COMMAND environment variable and then decides what to do.

Again, the forced-commands-only is for forcing a command, not for
verifying it.

- -nik
Oliver Beattie
2011-01-22 10:27:58 UTC
Permalink
Hi Dominik,

Thanks for your reply, but I'm not sure I've properly explained what I
mean. In essence, from what I can see, it isn't just executing the
forced command for the key that is being used, it executes the
commands for *every* RSA key in the authorized_keys file, meaning I
get hundreds of commands being run for each login. The program is
itself checking the $SSH_ORIGINAL_KEY.

Hope this explains it better.

—Oliver
Post by Dominik George
Hi Oliver,
this is essentially the point of the forced commands. SSH will execute
them, no matter what the client actually provides as a command.
If you instead want to jsut verify if the command is allowed, you will
need a wrapper script as forced command that checks the
$SSH_ORIGINAL_COMMAND environment variable and then decides what to do.
Again, the forced-commands-only is for forcing a command, not for
verifying it.
-nik
Post by Oliver Beattie
Hi there,
I am having a very strange problem with SSH. Essentially, I'm using
forced commands to restrict access based on public key (there are
around 2000 public keys). It appears to work okay, but when I look at
the ssh -v output I see that the client/server is actually executing
all the forced commands for RSA keys (I am connecting with an RSA key)
until it "hits" my key.
Anyone have any idea why this is happening? I have no clue where to
even look for hints as to what would cause this…
Here's an example of the output I am seeing (condensed, the real
OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
debug1: Authentication succeeded (publickey).
debug2: fd 5 setting O_NONBLOCK
debug2: fd 6 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Entering interactive session.
debug1: Remote: Forced command: gitosis-serve osjokine
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
[... hundreds more like this ...]
debug1: Remote: Forced command: gitosis-serve obeattie
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Remote: Forced command: gitosis-serve osjokine
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
[... hundreds more again ...]
debug1: Remote: Forced command: gitosis-serve obeattie
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug2: callback start
—Oliver
Loading...