Bug#983464: openssh-server: Forced command affects all keys

Wed, 24 Feb 2021 08:39:13 -0800 

Package: openssh-server
Version: 1:8.4p1-4
Severity: normal
X-Debbugs-Cc: deb...@3001.dk

(I guess - but haven't checked in any way - that this also affects
upstream)

(There are many open bugs against this package, so I didn't carefully
read the list, but did search it - without finding this issue)

The sshd manpage says:
     command="command"
             Specifies that the command is executed whenever this key is used 
for authentication.

but when I add such an option on one key in my authorized_keys file, so
it looks like:
ssh-rsa AAAAB3... gr...@sslug.dk
command="/bin/hostname" ssh-rsa AAAAB3N... h...@one.com
(I've shortened my public keys, as they are completely irrelevant, if
you want to give me access to some machine, ask me for the complete key)

I get the output of /bin/hostname no matter which key I use:
grove@stacey> ssh -i .ssh/privat_rsa 10.0.3.106 date
sid
grove@stacey> ssh -i .ssh/id_rsa 10.0.3.106 date
sid

(A forced command was my use case, so that's what I've been specifying
when testing, but in my orginal attempt at setting this up, I copied
from somewhere specifying more options, and I think I saw that the
problem also affected pty allocation, so possibly all options)

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-14-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-server depends on:
ii  adduser                3.118
ii  debconf [debconf-2.0]  1.5.74
ii  dpkg                   1.20.7.1
ii  libaudit1              1:3.0-2
ii  libc6                  2.31-9
ii  libcom-err2            1.46.1-1
ii  libcrypt1              1:4.4.17-1
ii  libgssapi-krb5-2       1.18.3-4
ii  libkrb5-3              1.18.3-4
ii  libpam-modules         1.4.0-4
ii  libpam-runtime         1.4.0-4
ii  libpam0g               1.4.0-4
ii  libselinux1            3.1-3
ii  libssl1.1              1.1.1j-1
ii  libsystemd0            247.3-1
ii  libwrap0               7.6.q-31
ii  lsb-base               11.1.0
ii  openssh-client         1:8.4p1-4
ii  openssh-sftp-server    1:8.4p1-4
ii  procps                 2:3.3.17-4
ii  runit-helper           2.10.3
ii  ucf                    3.0043
ii  zlib1g                 1:1.2.11.dfsg-2

Versions of packages openssh-server recommends:
ii  libpam-systemd [logind]  247.3-1
ii  ncurses-term             6.2+20201114-2
ii  xauth                    1:1.1-1

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- debconf information:
  openssh-server/password-authentication: true
  openssh-server/permit-root-login: true

Reply via email to