Mailing List Archive

Multiple forced commands being executed
Hi there,

I am having a very strange problem with SSH. Essentially, I'm using
forced commands to restrict access based on public key (there are
around 2000 public keys). It appears to work okay, but when I look at
the ssh -v output I see that the client/server is actually executing
all the forced commands for RSA keys (I am connecting with an RSA key)
until it "hits" my key.

Anyone have any idea why this is happening? I have no clue where to
even look for hints as to what would cause this…

Here's an example of the output I am seeing (condensed, the real
output is ~3000 lines):

OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
debug1: Authentication succeeded (publickey).
debug2: fd 5 setting O_NONBLOCK
debug2: fd 6 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Remote: Forced command: gitosis-serve osjokine
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
[... hundreds more like this ...]
debug1: Remote: Forced command: gitosis-serve obeattie
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Remote: Forced command: gitosis-serve osjokine
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
[... hundreds more again ...]
debug1: Remote: Forced command: gitosis-serve obeattie
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug2: callback start

—Oliver
Re: Multiple forced commands being executed [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Oliver,

this is essentially the point of the forced commands. SSH will execute
them, no matter what the client actually provides as a command.

If you instead want to jsut verify if the command is allowed, you will
need a wrapper script as forced command that checks the
$SSH_ORIGINAL_COMMAND environment variable and then decides what to do.

Again, the forced-commands-only is for forcing a command, not for
verifying it.

- -nik
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQJJBAEBAgAzBQJNOrBaLBpodHRwOi8vd3d3Lm5hdHVyYWxuaWsuZGUvZ3BnLXBv
bGljeS50eHQuYXNjAAoJEOl28jJzc23tgVIQAJ6d/wst1WOC8Eq9vohsNFGS1Got
mMf/PlzQXYjNnyjorpo3tEspwPCjBh0UvPtzRpseY7vXIYuvwiKWwhylIND5t1K5
MrKTZOuZ+tZNG4hXkPO8VCG0TzWPRoEK5IE5v9mKF8XaKmlahIaWd2VvHWZsKnG+
fYjtAObxUtSj887vfW5wAXql8velPmkXq6GBgiqqt6T8gHxLTTjJ0AH4uPpjpwY0
lQBjuhkqip/JCfFYiDztS0KIGRDQKrZNuHiFGqshL666HZlo9m5ipb2nm26nHgyG
flunkAJzEzRZrxxMX00/2drwIjxQlYKDrv/jJDfh9DVzKiqsqM3D//FdYjZmbKjL
e9Gi/G45U+XMJIDcT2jAtj4kWEH8yHTkvRwnq/VeeriKgU4xItZ9bjhvCR1u08oX
Y+jHwetpWA7F2cmtReD37f9w2jAMmC5dKZqjTLjgAS3xAIhhvfJZvVVtsxKd27pj
vds66oEaKSuU8nGc0j2cSt5FWjBfRRxDZy67vIn6QhaBswogIdnTnyT5w0R6ECSb
p6vgUirVacsZ916cw5flPs856dYZvpmvMkDY4BNOaGnurdITdfhJVpugW1mqeBiU
dpET4E9lGbVmnEdUj/KIvEN4I8bghnqfdo+hyZYAhikOnKv707CzrYfePGYnwa+8
ftpoZh6AyrDi00Dd
=3OTV
-----END PGP SIGNATURE-----
Re: Multiple forced commands being executed [ In reply to ]
Hi Dominik,

Thanks for your reply, but I'm not sure I've properly explained what I
mean. In essence, from what I can see, it isn't just executing the
forced command for the key that is being used, it executes the
commands for *every* RSA key in the authorized_keys file, meaning I
get hundreds of commands being run for each login. The program is
itself checking the $SSH_ORIGINAL_KEY.

Hope this explains it better.

—Oliver



On 22 January 2011 09:43, Dominik George <nik@naturalnet.de> wrote:
> Hi Oliver,
>
> this is essentially the point of the forced commands. SSH will execute
> them, no matter what the client actually provides as a command.
>
> If you instead want to jsut verify if the command is allowed, you will
> need a wrapper script as forced command that checks the
> $SSH_ORIGINAL_COMMAND environment variable and then decides what to do.
>
> Again, the forced-commands-only is for forcing a command, not for
> verifying it.
>
> -nik
>
>> Hi there,
>>
>> I am having a very strange problem with SSH. Essentially, I'm using
>> forced commands to restrict access based on public key (there are
>> around 2000 public keys). It appears to work okay, but when I look at
>> the ssh -v output I see that the client/server is actually executing
>> all the forced commands for RSA keys (I am connecting with an RSA key)
>> until it "hits" my key.
>>
>> Anyone have any idea why this is happening? I have no clue where to
>> even look for hints as to what would cause this…
>>
>> Here's an example of the output I am seeing (condensed, the real
>> output is ~3000 lines):
>>
>> OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
>> debug1: Authentication succeeded (publickey).
>> debug2: fd 5 setting O_NONBLOCK
>> debug2: fd 6 setting O_NONBLOCK
>> debug1: channel 0: new [client-session]
>> debug3: ssh_session2_open: channel_new: 0
>> debug2: channel 0: send open
>> debug1: Requesting no-more-sessions@openssh.com
>> debug1: Entering interactive session.
>> debug1: Remote: Forced command: gitosis-serve osjokine
>> debug1: Remote: Port forwarding disabled.
>> debug1: Remote: X11 forwarding disabled.
>> debug1: Remote: Agent forwarding disabled.
>> debug1: Remote: Pty allocation disabled.
>> [... hundreds more like this ...]
>> debug1: Remote: Forced command: gitosis-serve obeattie
>> debug1: Remote: Port forwarding disabled.
>> debug1: Remote: X11 forwarding disabled.
>> debug1: Remote: Agent forwarding disabled.
>> debug1: Remote: Pty allocation disabled.
>> debug1: Remote: Forced command: gitosis-serve osjokine
>> debug1: Remote: Port forwarding disabled.
>> debug1: Remote: X11 forwarding disabled.
>> debug1: Remote: Agent forwarding disabled.
>> debug1: Remote: Pty allocation disabled.
>> [... hundreds more again ...]
>> debug1: Remote: Forced command: gitosis-serve obeattie
>> debug1: Remote: Port forwarding disabled.
>> debug1: Remote: X11 forwarding disabled.
>> debug1: Remote: Agent forwarding disabled.
>> debug1: Remote: Pty allocation disabled.
>> debug2: callback start
>>
>> —Oliver
>>
>
>
>
Re: Multiple forced commands being executed [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Oliver,

oh, sure, I didn't exactly get that. I wil ltry to reproduce that ...

- -nik

Am 22.01.2011 11:27, schrieb Oliver Beattie:
> Hi Dominik,
>
> Thanks for your reply, but I'm not sure I've properly explained
> what I mean. In essence, from what I can see, it isn't just
> executing the forced command for the key that is being used, it
> executes the commands for *every* RSA key in the authorized_keys
> file, meaning I get hundreds of commands being run for each login.
> The program is itself checking the $SSH_ORIGINAL_KEY.
>
> Hope this explains it better.
>
> —Oliver
>
>
>
> On 22 January 2011 09:43, Dominik George <nik@naturalnet.de>
> wrote:
>> Hi Oliver,
>>
>> this is essentially the point of the forced commands. SSH will
>> execute them, no matter what the client actually provides as a
>> command.
>>
>> If you instead want to jsut verify if the command is allowed, you
>> will need a wrapper script as forced command that checks the
>> $SSH_ORIGINAL_COMMAND environment variable and then decides what
>> to do.
>>
>> Again, the forced-commands-only is for forcing a command, not
>> for verifying it.
>>
>> -nik
>>
>>> Hi there,
>>>
>>> I am having a very strange problem with SSH. Essentially, I'm
>>> using forced commands to restrict access based on public key
>>> (there are around 2000 public keys). It appears to work okay,
>>> but when I look at the ssh -v output I see that the
>>> client/server is actually executing all the forced commands for
>>> RSA keys (I am connecting with an RSA key) until it "hits" my
>>> key.
>>>
>>> Anyone have any idea why this is happening? I have no clue
>>> where to even look for hints as to what would cause this…
>>>
>>> Here's an example of the output I am seeing (condensed, the
>>> real output is ~3000 lines):
>>>
>>> OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009 debug1: Authentication
>>> succeeded (publickey). debug2: fd 5 setting O_NONBLOCK debug2:
>>> fd 6 setting O_NONBLOCK debug1: channel 0: new
>>> [client-session] debug3: ssh_session2_open: channel_new: 0
>>> debug2: channel 0: send open debug1: Requesting
>>> no-more-sessions@openssh.com debug1: Entering interactive
>>> session. debug1: Remote: Forced command: gitosis-serve
>>> osjokine debug1: Remote: Port forwarding disabled. debug1:
>>> Remote: X11 forwarding disabled. debug1: Remote: Agent
>>> forwarding disabled. debug1: Remote: Pty allocation disabled.
>>> [... hundreds more like this ...] debug1: Remote: Forced
>>> command: gitosis-serve obeattie debug1: Remote: Port forwarding
>>> disabled. debug1: Remote: X11 forwarding disabled. debug1:
>>> Remote: Agent forwarding disabled. debug1: Remote: Pty
>>> allocation disabled. debug1: Remote: Forced command:
>>> gitosis-serve osjokine debug1: Remote: Port forwarding
>>> disabled. debug1: Remote: X11 forwarding disabled. debug1:
>>> Remote: Agent forwarding disabled. debug1: Remote: Pty
>>> allocation disabled. [... hundreds more again ...] debug1:
>>> Remote: Forced command: gitosis-serve obeattie debug1: Remote:
>>> Port forwarding disabled. debug1: Remote: X11 forwarding
>>> disabled. debug1: Remote: Agent forwarding disabled. debug1:
>>> Remote: Pty allocation disabled. debug2: callback start
>>>
>>> —Oliver
>>>
>>
>>
>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQJJBAEBAgAzBQJNOrZ8LBpodHRwOi8vd3d3Lm5hdHVyYWxuaWsuZGUvZ3BnLXBv
bGljeS50eHQuYXNjAAoJEOl28jJzc23tWr4P/0+7rdRe0VyWjig56H4c5MxkzQjD
uB4+vEqAOumZfKClphzniTk5deEtQELiPp3Z5cTa423upIyY9i5vzfnDXL5zkhAQ
isAG0VFs4nlCEZkWFvus03gf2L0RidL4wEkv5KNYZGP0oPX97QD+KPMYN4HsXpkQ
3AUsuMPxZrFFLCDjYppOlLE92a05wLN38+L0g+TKynk0qX+O5G5P54cr/zLMZyAM
zuxklGcsEoT+QKbc0BKwAxQf2FEdxFeliK6lw06k94wxnASIn5nYfcYKXmjgn/Co
iqw7QGlGdog1IiBQK5hDHA4WuBsctxw4LCUKYIwZVgbffZs8epC12iYFJGGxfnQG
8A6lEK1v4B3YrCMlnEz5An7q+5oDVvtfFJMLtcnME28dYva9G5Bma89GZLGQb2t5
C0LbXxD6VP//E/4VAX+JTwNOfP6FcaUmcRSTlAQmiawqKExD4v5WnMSOM2EitvDZ
jAU/06raIeQ1l37UQmt1XyhzvyT3r/T5QqyXnRmMuOkMCcic9C3DShsPG//mes0n
K0NhU36kDOgwSXQVcGjsmO6Zo9Wu4uNGs8LsUNjCKecJTBkVnBLSiqoZTglIzyPV
BtL6f8JHPEfrrpGgMtLFAHYpsGRKFYFdwsiGIh4wMKCu262WIuqv1ZTwefcqQgwK
+fIL4qO9n26qidTS
=lxJp
-----END PGP SIGNATURE-----
Re: Multiple forced commands being executed [ In reply to ]
FYI - ssh version is:

OpenSSH_5.4p1 FreeBSD-20100308, OpenSSL 0.9.8n 24 Mar 2010

And now I am using my own smtp not Gmail's blacklisted ones hopefully this message will actually make it to the list...


On 03/02/2011, at 1:44 PM, Mark Aufflick wrote:

> FYI I am seeing exactly the same issue. The -vv output on the client
> shows running a huge number of commands (not totally sure if it
> correlates to the number of entries in authorized_keys or just the
> number preceding the matched key - I think it's the latter) and
> judging by the pid of the command that finally ends up being run those
> log entries are actually related to commands being run and abandoned.
>
> It's like the forced command is executed prior to the key being
> checked? Besides wasting resources it's potentially doing things you
> don't expect (what if the command had a side effect) and slowing down
> the connection.
>
> I assume it's not intended behaviour? Neither the command="command"
> section of the ssh man page nor the ForceCommand section of
> sshd_config make any reference to it so I presume not.
>
> Let me know if I can provide any more useful info - I'm going to have
> a quick hunt in the sshd code to see if I can find anything obvious,
> but I'm not familiar with the code base so don't hold your breath.
>
> Cheers,
>
> Mark.
> --
> Mark Aufflick
> http://mark.aufflick.com/about/contact
> http://pumptheory.com/about