At 11:37 PM -0700 9/21/01, Randall Gellens wrote:

>I'm running OpenSSH 2.9 under OpenBSD 2.9 on a recent AMD box.
>
>People access the system using ssh to tunnel a source control 
>system. They all use the same username, which is set up to not allow 
>logins, but does have a ~/.ssh/authorized_keys (and 
>~/.ssh/authorized_keys2) file.  Each person with access has a public 
>key in the file.  Each key is preceded with options to force a 
>command to be run, disallow a pty, and only allow port forwarding to 
>the service they are allowed to access 
>(command="/etc/waiter",no-pty,permitopen="...").  The command runs a 
>tiny program that just waits to die.  It's purpose is to prevent any 
>other command from being executed.
>
>This all seems to work, except for two problems:
>
>1.  Authentication works, but displays the messages  "csh: 
>Permission Denied" / "csh: Trying to start from <the home directory 
>of the username>"
>
>2.  While sshd processes do go away when the connections drop, the 
>waiters (and a csh) hang around, and build up.
>
>Here are debug messages connecting in:
>
>zinc:~{528}$ ssh  -l usera -f -x -L xxx hostname foo
>
>debug: RSA authentication accepted by server.
>debug: Connections to local port xxxx forwarded to remote address xxxx
>debug: Local forwarding listening on 127.0.0.1 port xxxx.
>debug: fd 8 setting O_NONBLOCK
>debug: fd 8 IS O_NONBLOCK
>debug: channel 0: new [port listener]
>debug: Sending command: foo
>debug: Entering interactive session.
>debug: Sending eof.
>zinc:~{529}$ csh: Permission denied
>csh: Trying to start from "/home/usera"
>
>Here is the waiter source:
>
>int main ( int argc, char** argv )
>{
>         while ( getpid() != 1 )
>                 sleep ( 300 );
>         exit ( 0 );
>}
>
>I think I may have realized the second problem: getpid(2) never 
>fails on BSD systems.  But still, the child should be killed when 
>the sshd process goes away, shouldn't it?  Is there better code to 
>use for this?
>
>The first problem really has me stumped.  I've checked the 
>permissions on the home directory, the authorized_keys file, and so 
>on, but can't see anything wrong.

In playing with this some more, I tried changing getpid() to 
getppid(), which does get the waiter to exit (thanks to all who 
caught the error).

I also tried making the forced command "sleep 2" and changing the 
account's shell to bash.  That gave this error:

zinc:~{512}$ shell-init: could not get current directory: getcwd: 
cannot access parent directories: Permission denied

And the client exits, so it doesn't do the port forwarding.

Here are the directory permissions:

matlovich:~$ ls -ld /home
drwxr-x--x  7 root  wheel  512 Jul 25 17:40 /home/

matlovich:~$ ls -ld /home/usera
drwxr-x--x  3 usera  users  512 Sep 24 17:00 /home/usera/

If I change the command to run the waiter, but leave the shell at 
bash, I still get the error (shell-init: could not get current 
directory: getcwd: cannot access parent directories: Permission 
denied) but it does work, the client continues, and forwards the 
ports.

I tried changing the permissions on the home directory to 
'drwxr-xr-x', but it didn't help.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to