I'm running OpenSSH 2.9 under OpenBSD 2.9 on a recent AMD box.
People access the system using ssh to tunnel a source control system.
They all use the same username, which is set up to not allow logins,
but does have a ~/.ssh/authorized_keys (and ~/.ssh/authorized_keys2)
file. Each person with access has a public key in the file. Each
key is preceded with options to force a command to be run, disallow a
pty, and only allow port forwarding to the service they are allowed
to access (command="/etc/waiter",no-pty,permitopen="..."). The
command runs a tiny program that just waits to die. It's purpose is
to prevent any other command from being executed.
This all seems to work, except for two problems:
1. Authentication works, but displays the messages "csh: Permission
Denied" / "csh: Trying to start from <the home directory of the
username>"
2. While sshd processes do go away when the connections drop, the
waiters (and a csh) hang around, and build up.
Here are debug messages connecting in:
zinc:~{528}$ ssh -l usera -f -x -L xxx hostname foo
debug: RSA authentication accepted by server.
debug: Connections to local port xxxx forwarded to remote address xxxx
debug: Local forwarding listening on 127.0.0.1 port xxxx.
debug: fd 8 setting O_NONBLOCK
debug: fd 8 IS O_NONBLOCK
debug: channel 0: new [port listener]
debug: Sending command: foo
debug: Entering interactive session.
debug: Sending eof.
zinc:~{529}$ csh: Permission denied
csh: Trying to start from "/home/usera"
Here is the waiter source:
int main ( int argc, char** argv )
{
while ( getpid() != 1 )
sleep ( 300 );
exit ( 0 );
}
I think I may have realized the second problem: getpid(2) never fails
on BSD systems. But still, the child should be killed when the sshd
process goes away, shouldn't it? Is there better code to use for
this?
The first problem really has me stumped. I've checked the
permissions on the home directory, the authorized_keys file, and so
on, but can't see anything wrong.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
