Bug#983464: openssh-server: Forced command affects all keys
Package: openssh-server
Version: 1:8.4p1-4
Severity: normal
X-Debbugs-Cc: debian@3001.dk
(I guess - but haven't checked in any way - that this also affects
upstream)
(There are many open bugs against this package, so I didn't carefully
read the list, but did search it - without finding this issue)
The sshd manpage says:
command="command"
Specifies that the command is executed whenever this key is used for authentication.
but when I add such an option on one key in my authorized_keys file, so
it looks like:
ssh-rsa AAAAB3... grove@sslug.dk
command="/bin/hostname" ssh-rsa AAAAB3N... hcg@one.com
(I've shortened my public keys, as they are completely irrelevant, if
you want to give me access to some machine, ask me for the complete key)
I get the output of /bin/hostname no matter which key I use:
grove@stacey> ssh -i .ssh/privat_rsa 10.0.3.106 date
sid
grove@stacey> ssh -i .ssh/id_rsa 10.0.3.106 date
sid
(A forced command was my use case, so that's what I've been specifying
when testing, but in my orginal attempt at setting this up, I copied
from somewhere specifying more options, and I think I saw that the
problem also affected pty allocation, so possibly all options)
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-14-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssh-server depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.74
ii dpkg 1.20.7.1
ii libaudit1 1:3.0-2
ii libc6 2.31-9
ii libcom-err2 1.46.1-1
ii libcrypt1 1:4.4.17-1
ii libgssapi-krb5-2 1.18.3-4
ii libkrb5-3 1.18.3-4
ii libpam-modules 1.4.0-4
ii libpam-runtime 1.4.0-4
ii libpam0g 1.4.0-4
ii libselinux1 3.1-3
ii libssl1.1 1.1.1j-1
ii libsystemd0 247.3-1
ii libwrap0 7.6.q-31
ii lsb-base 11.1.0
ii openssh-client 1:8.4p1-4
ii openssh-sftp-server 1:8.4p1-4
ii procps 2:3.3.17-4
ii runit-helper 2.10.3
ii ucf 3.0043
ii zlib1g 1:1.2.11.dfsg-2
Versions of packages openssh-server recommends:
ii libpam-systemd [logind] 247.3-1
ii ncurses-term 6.2+20201114-2
ii xauth 1:1.1-1
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn ssh-askpass <none>
pn ufw <none>
-- debconf information:
openssh-server/password-authentication: true
openssh-server/permit-root-login: true
Reply to: