At 11:37 PM -0700 9/21/01, Randall Gellens wrote:
>I'm running OpenSSH 2.9 under OpenBSD 2.9 on a recent AMD box.
>
>People access the system using ssh to tunnel a source control
>system. They all use the same username, which is set up to not allow
>logins, but does have a ~/.ssh/authorized_keys (and
>~/.ssh/authorized_keys2) file. Each person with access has a public
>key in the file. Each key is preceded with options to force a
>command to be run, disallow a pty, and only allow port forwarding to
>the service they are allowed to access
>(command="/etc/waiter",no-pty,permitopen="..."). The command runs a
>tiny program that just waits to die. It's purpose is to prevent any
>other command from being executed.
>
>This all seems to work, except for two problems:
>
>1. Authentication works, but displays the messages "csh:
>Permission Denied" / "csh: Trying to start from <the home directory
>of the username>"
>
>2. While sshd processes do go away when the connections drop, the
>waiters (and a csh) hang around, and build up.
>
>Here are debug messages connecting in:
>
>zinc:~{528}$ ssh -l usera -f -x -L xxx hostname foo
>
>debug: RSA authentication accepted by server.
>debug: Connections to local port xxxx forwarded to remote address xxxx
>debug: Local forwarding listening on 127.0.0.1 port xxxx.
>debug: fd 8 setting O_NONBLOCK
>debug: fd 8 IS O_NONBLOCK
>debug: channel 0: new [port listener]
>debug: Sending command: foo
>debug: Entering interactive session.
>debug: Sending eof.
>zinc:~{529}$ csh: Permission denied
>csh: Trying to start from "/home/usera"
>
>Here is the waiter source:
>
>int main ( int argc, char** argv )
>{
> while ( getpid() != 1 )
> sleep ( 300 );
> exit ( 0 );
>}
>
>I think I may have realized the second problem: getpid(2) never
>fails on BSD systems. But still, the child should be killed when
>the sshd process goes away, shouldn't it? Is there better code to
>use for this?
>
>The first problem really has me stumped. I've checked the
>permissions on the home directory, the authorized_keys file, and so
>on, but can't see anything wrong.
In playing with this some more, I tried changing getpid() to
getppid(), which does get the waiter to exit (thanks to all who
caught the error).
I also tried making the forced command "sleep 2" and changing the
account's shell to bash. That gave this error:
zinc:~{512}$ shell-init: could not get current directory: getcwd:
cannot access parent directories: Permission denied
And the client exits, so it doesn't do the port forwarding.
Here are the directory permissions:
matlovich:~$ ls -ld /home
drwxr-x--x 7 root wheel 512 Jul 25 17:40 /home/
matlovich:~$ ls -ld /home/usera
drwxr-x--x 3 usera users 512 Sep 24 17:00 /home/usera/
If I change the command to run the waiter, but leave the shell at
bash, I still get the error (shell-init: could not get current
directory: getcwd: cannot access parent directories: Permission
denied) but it does work, the client continues, and forwards the
ports.
I tried changing the permissions on the home directory to
'drwxr-xr-x', but it didn't help.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
