** Description changed: [ Impact ] Users upgrading from Ubuntu 22.04 (Jammy) to 24.04 (Noble) find that scripts relying on exact string matching for the $SSH_ORIGINAL_COMMAND environment variable fail when using SFTP. OpenSSH in Noble appends a trailing space to the subsystem command (e.g., "/usr/lib/openssh/sftp-server ") + + Issue was introduced in Noble by - https://github.com/openssh/openssh- + portable/commit/e19069c9fac4c111d6496b19c7f7db43b4f07b4f + + Path for the fix - https://github.com/openssh/openssh- + portable/commit/ee6d932acb532f80b11bb7cf161668c70ec8a117 This fix backports a change from upstream OpenSSH that ensures the command string is properly terminated without the gratious trailing space, restoring compatibility with existing scripts. [Test Plan] 1. Create an lxd Noble container and run the following script: # Create a dummy test user sudo useradd -m -s /bin/bash testuser sudo mkdir -p /home/testuser/.ssh # Create a debugging script cat << 'EOF' | sudo tee /usr/local/bin/debug_ssh.sh #!/bin/bash # Print the command surrounded by brackets to see spaces echo "Raw variable: [$SSH_ORIGINAL_COMMAND]" EOF # make script executable sudo chmod +x /usr/local/bin/debug_ssh.sh # Generate a dummy key ssh-keygen -t ed25519 -f ./test_key -N "" # Add to authorized_keys with the forced command KEY_DATA=$(cat ./test_key.pub) echo "command=\"/usr/local/bin/debug_ssh.sh\" $KEY_DATA" | sudo tee /home/testuser/.ssh/authorized_keys # Set the appropriate permissions sudo chown -R testuser:testuser /home/testuser/.ssh sudo chmod 700 /home/testuser/.ssh sudo chmod 600 /home/testuser/.ssh/authorized_keys 2. Run the following command to reproduce the issue: ssh -i ./test_key -s testuser@localhost sftp Output shows: [/usr/lib/openssh/sftp-server ] (with the space) 3. Apply the patch and build the package locally and rerun the above command to verify the fix. Output should show: [/usr/lib/openssh/sftp- server] (No trailing space) [ Where problems could occur ] The change is localised to how session.c constructs the command string for subsystems. Potential Regression: If a user has specifically written a workaround script in Noble that expects the trailing space (e.g., matching *sftp- server ), this patch would break that workaround. However, since this behaviour is a regression from Jammy and violates standard string expectations, the risk is considered low compared to the benefit of restoring standard behaviour. Scope: The patch specifically targets the internal command construction logic in session.c, so it should not affect general SSH shell sessions or non-subsystem commands. [ Other Info ] The fix is already committed upstream in OpenSSH Portable. The issue is not found in newer versions of Ubuntu and neither in Jammy.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2147690 Title: SSH_ORIGINAL_COMMAND env variable has an extra white space at the end of its value To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2147690/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
