Bug#252886: ssh: PermitRootLogin forced-commands-only doesn't work

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#252886: ssh: PermitRootLogin forced-commands-only doesn't work
From: Marc Haber <mh+debian-bugs@zugschlus.de>
Date: Sat, 05 Jun 2004 20:36:24 +0200
Message-id: <[🔎] E1BWg1p-0007pZ-Bl@torres.ka0.zugschlus.de>
Reply-to: Marc Haber <mh+debian-bugs@zugschlus.de>, 252886@bugs.debian.org
Package: ssh
Version: 3.4p1-1.woody.3
Severity: normal
Tags: woody

On a server running the 3.4p1-1.woody.3 sshd, the sshd_config option
"forced-commands-only" doesn't work as documented in the man page. The
connection is established, and breaks down immediately afterwards.

This is sshd -d output:
debug1: sshd version OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 212.126.220.202 port 3603
debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 121/256
debug1: bits set: 1627/3191
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 1650/3191
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user root service ssh-connection method none
debug1: attempt 0 failures 0
debug1: Starting up PAM with username "root"
debug1: PAM setting rhost to "q.bofh.de"
Failed none for root from 212.126.220.202 port 3603 ssh2
Failed none for root from 212.126.220.202 port 3603 ssh2
debug1: userauth-request for user root service ssh-connection method publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 0/0 (e=0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: matching key found: file /root/.ssh/authorized_keys, line 2
Found matching RSA key: 13:bf:4c:79:05:b8:11:a1:42:ff:58:67:6c:66:7c:9b
debug1: restore_uid
Postponed publickey for root from 212.126.220.202 port 3603 ssh2
debug1: userauth-request for user root service ssh-connection method publickey
debug1: attempt 2 failures 1
debug1: temporarily_use_uid: 0/0 (e=0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: matching key found: file /root/.ssh/authorized_keys, line 2
Found matching RSA key: 13:bf:4c:79:05:b8:11:a1:42:ff:58:67:6c:66:7c:9b
debug1: restore_uid
debug1: ssh_rsa_verify: signature correct
ROOT LOGIN REFUSED FROM 212.126.220.202
Failed publickey for root from 212.126.220.202 port 3603 ssh2
Root login accepted for forced command.
Accepted publickey for root from 212.126.220.202 port 3603 ssh2
debug1: monitor_child_preauth: root has been authenticated by privileged process
debug1: userauth-request for user root service ssh-connection method keyboard-interactive
debug1: attempt 3 failures 2
debug1: keyboard-interactive devs 
debug1: auth2_challenge: user=root devs=
debug1: kbdint_alloc: devices ''
Failed keyboard-interactive for root from 212.126.220.202 port 3603 ssh2
Connection closed by 212.126.220.202
debug1: Calling cleanup 0x806be5c(0x0)
debug1: Calling cleanup 0x8052b48(0x0)
debug1: Calling cleanup 0x806be5c(0x0)


This happens no matter whether the client is debian stable or debian
unstable. A backport of sid's 3.8.1p1-4 installed as sshd works fine.

When I compare the sshd -d output with the one of the backport, I
notice that the strange "ROOT LOGIN REFUSED" message two lines before
"Root login accepted for forced command" has vanished:

debug1: sshd version OpenSSH_3.8.1p1 Debian 1:3.8.1p1-3+4zg1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
socket: Address family not supported by protocol
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 212.126.220.202 port 3570
debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.8.1p1 Debian 1:3.8.1p1-3+4zg1
debug1: permanently_set_uid: 101/65534
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user root service ssh-connection method none
debug1: attempt 0 failures 0
Failed none for root from 212.126.220.202 port 3570 ssh2
debug1: PAM: initializing for "root"
debug1: userauth-request for user root service ssh-connection method publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: PAM: setting PAM_RHOST to "q.bofh.de"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: matching key found: file /root/.ssh/authorized_keys, line 2
Found matching RSA key: 13:bf:4c:79:05:b8:11:a1:42:ff:58:67:6c:66:7c:9b
debug1: restore_uid: 0/0
Postponed publickey for root from 212.126.220.202 port 3570 ssh2
debug1: userauth-request for user root service ssh-connection method publickey
debug1: attempt 2 failures 1
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: matching key found: file /root/.ssh/authorized_keys, line 2
Found matching RSA key: 13:bf:4c:79:05:b8:11:a1:42:ff:58:67:6c:66:7c:9b
debug1: restore_uid: 0/0
debug1: ssh_rsa_verify: signature correct
Root login accepted for forced command.
Root login accepted for forced command.
Accepted publickey for root from 212.126.220.202 port 3570 ssh2
Accepted publickey for root from 212.126.220.202 port 3570 ssh2
debug1: monitor_child_preauth: root has been authenticated by privileged process
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 131072 max 32768
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: init
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request exec reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req exec
debug1: Forced command '/home/mh/echooriginal'
debug1: PAM: establishing credentials
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 29575
debug1: session_exit_message: session 0 channel 0 pid 29575
debug1: session_exit_message: release channel 0
debug1: session_close: session 0 pid 29575
debug1: channel 0: free: server-session, nchannels 1
Connection closed by 212.126.220.202
debug1: do_cleanup
debug1: PAM: cleanup
Closing connection to 212.126.220.202
debug1: PAM: cleanup

Is this a bug in openssh 3.4? Any workaround? I'd hate to have to work
with a backported 3.8 on production systems. This is why I report this
bug against woody, tagged appropriately.

Greetings
Marc

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.26-zgserver
Locale: LANG=C, LC_CTYPE=C

Versions of packages ssh depends on:
ii  adduser                     3.56         Add and remove users and groups
ii  debconf                     1.4.25       Debian configuration management sy
ii  dpkg                        1.10.22      Package maintenance system for Deb
ii  libc6                       2.3.2.ds1-13 GNU C Library: Shared libraries an
ii  libpam-modules              0.76-21      Pluggable Authentication Modules f
ii  libpam-runtime              0.76-21      Runtime support for the PAM librar
ii  libpam0g                    0.76-21      Pluggable Authentication Modules l
ii  libssl0.9.7                 0.9.7d-3     SSL shared libraries
ii  libwrap0                    7.6.dbs-4    Wietse Venema's TCP wrappers libra
ii  zlib1g                      1:1.2.1.1-3  compression library - runtime

-- debconf information excluded
Reply to:
Follow-Ups:
- Bug#252886: ssh: PermitRootLogin forced-commands-only doesn't work
  - From: Florian Weimer <fw@deneb.enyo.de>
Prev by Date: Bug#252676: more info
Next by Date: Bug#252886: ssh: PermitRootLogin forced-commands-only doesn't work
Previous by thread: Bug#252676: more info
Next by thread: Bug#252886: ssh: PermitRootLogin forced-commands-only doesn't work
Index(es):
- Date
- Thread