Bug#252886: ssh: PermitRootLogin forced-commands-only doesn't work

[Florian Weimer <fw@deneb.enyo.de>]

* Marc Haber:

> On a server running the 3.4p1-1.woody.3 sshd, the sshd_config option
> "forced-commands-only" doesn't work as documented in the man page. The
> connection is established, and breaks down immediately afterwards.

Marc and I talked about this on IRC, and discovered that the changes
are probably too intrusive to apply the woody OpenSSH daemon.

The actual fix from OpenBSD CVS is reproduced below.  But
unfortunately, it depends on some refactoring of the key exchange code
which moves quite a bit of code around.

Index: monitor.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/monitor.c,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- monitor.c	4 Feb 2003 09:33:22 -0000	1.31
+++ monitor.c	16 Feb 2003 17:30:33 -0000	1.32
@@ -25,7 +25,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.31 2003/02/04 09:33:22 markus Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.32 2003/02/16 17:30:33 markus Exp $");
 
 #include <openssl/dh.h>
 
@@ -791,6 +791,7 @@
 
 	buffer_clear(m);
 	buffer_put_int(m, allowed);
+	buffer_put_int(m, forced_command != NULL);
 
 	mm_append_debug(m);
 
@@ -1153,6 +1154,7 @@
 	}
 	buffer_clear(m);
 	buffer_put_int(m, allowed);
+	buffer_put_int(m, forced_command != NULL);
 
 	/* clear temporarily storage (used by generate challenge) */
 	monitor_reset_key_state();
Index: monitor_wrap.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/monitor_wrap.c,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- monitor_wrap.c	4 Feb 2003 09:33:22 -0000	1.21
+++ monitor_wrap.c	16 Feb 2003 17:30:33 -0000	1.22
@@ -25,7 +25,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: monitor_wrap.c,v 1.21 2003/02/04 09:33:22 markus Exp $");
+RCSID("$OpenBSD: monitor_wrap.c,v 1.22 2003/02/16 17:30:33 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/dh.h>
@@ -34,6 +34,7 @@
 #include "dh.h"
 #include "kex.h"
 #include "auth.h"
+#include "auth-options.h"
 #include "buffer.h"
 #include "bufaux.h"
 #include "packet.h"
@@ -310,7 +311,7 @@
 	Buffer m;
 	u_char *blob;
 	u_int len;
-	int allowed = 0;
+	int allowed = 0, have_forced = 0;
 
 	debug3("%s entering", __func__);
 
@@ -332,6 +333,11 @@
 
 	allowed = buffer_get_int(&m);
 
+	/* fake forced command */
+	auth_clear_options();
+	have_forced = buffer_get_int(&m);
+	forced_command = have_forced ? xstrdup("true") : NULL;
+
 	/* Send potential debug messages */
 	mm_send_debug(&m);
 
@@ -834,7 +840,7 @@
 	Key *key;
 	u_char *blob;
 	u_int blen;
-	int allowed = 0;
+	int allowed = 0, have_forced = 0;
 
 	debug3("%s entering", __func__);
 
@@ -845,6 +851,11 @@
 	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSAKEYALLOWED, &m);
 
 	allowed = buffer_get_int(&m);
+
+	/* fake forced command */
+	auth_clear_options();
+	have_forced = buffer_get_int(&m);
+	forced_command = have_forced ? xstrdup("true") : NULL;
 
 	if (allowed && rkey != NULL) {
 		blob = buffer_get_string(&m, &blen);

-- 
Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: bigpond.com, di-ve.com, fuorissimo.com, hotmail.com,
jumpy.it, libero.it, netscape.net, postino.it, simplesnet.pt, spymac.com,
tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, yahoo.com.