Bug#983464: marked as done (openssh-server: Forced command affects all keys)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 24 Feb 2021 22:38:09 +0100
with message-id <84f6817b-01fb-540f-9ad0-0eb5dbb844fe@3001.dk>
and subject line Re: Bug#983464: openssh-server: Forced command affects all keys
has caused the Debian Bug report #983464,
regarding openssh-server: Forced command affects all keys
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
983464: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983464
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: openssh-server: Forced command affects all keys
• From: Henrik Christian Grove <debian@3001.dk>
• Date: Wed, 24 Feb 2021 16:36:35 +0000
• Message-id: <[🔎] 161418459599.10705.14448975927820322636.reportbug@sid>

Package: openssh-server
Version: 1:8.4p1-4
Severity: normal
X-Debbugs-Cc: debian@3001.dk

(I guess - but haven't checked in any way - that this also affects
upstream)

(There are many open bugs against this package, so I didn't carefully
read the list, but did search it - without finding this issue)

The sshd manpage says:
     command="command"
             Specifies that the command is executed whenever this key is used for authentication.

but when I add such an option on one key in my authorized_keys file, so
it looks like:
ssh-rsa AAAAB3... grove@sslug.dk
command="/bin/hostname" ssh-rsa AAAAB3N... hcg@one.com
(I've shortened my public keys, as they are completely irrelevant, if
you want to give me access to some machine, ask me for the complete key)

I get the output of /bin/hostname no matter which key I use:
grove@stacey> ssh -i .ssh/privat_rsa 10.0.3.106 date
sid
grove@stacey> ssh -i .ssh/id_rsa 10.0.3.106 date
sid

(A forced command was my use case, so that's what I've been specifying
when testing, but in my orginal attempt at setting this up, I copied
from somewhere specifying more options, and I think I saw that the
problem also affected pty allocation, so possibly all options)

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-14-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-server depends on:
ii  adduser                3.118
ii  debconf [debconf-2.0]  1.5.74
ii  dpkg                   1.20.7.1
ii  libaudit1              1:3.0-2
ii  libc6                  2.31-9
ii  libcom-err2            1.46.1-1
ii  libcrypt1              1:4.4.17-1
ii  libgssapi-krb5-2       1.18.3-4
ii  libkrb5-3              1.18.3-4
ii  libpam-modules         1.4.0-4
ii  libpam-runtime         1.4.0-4
ii  libpam0g               1.4.0-4
ii  libselinux1            3.1-3
ii  libssl1.1              1.1.1j-1
ii  libsystemd0            247.3-1
ii  libwrap0               7.6.q-31
ii  lsb-base               11.1.0
ii  openssh-client         1:8.4p1-4
ii  openssh-sftp-server    1:8.4p1-4
ii  procps                 2:3.3.17-4
ii  runit-helper           2.10.3
ii  ucf                    3.0043
ii  zlib1g                 1:1.2.11.dfsg-2

Versions of packages openssh-server recommends:
ii  libpam-systemd [logind]  247.3-1
ii  ncurses-term             6.2+20201114-2
ii  xauth                    1:1.1-1

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- debconf information:
  openssh-server/password-authentication: true
  openssh-server/permit-root-login: true

--- End Message ---

--- Begin Message ---

• To: Timo Weingärtner <timo@tiwe.de>, 983464-done@bugs.debian.org
• Subject: Re: Bug#983464: openssh-server: Forced command affects all keys
• From: Henrik Christian Grove <debian@3001.dk>
• Date: Wed, 24 Feb 2021 22:38:09 +0100
• Message-id: <84f6817b-01fb-540f-9ad0-0eb5dbb844fe@3001.dk>
• In-reply-to: <[🔎] 4789668.DiWh60cFF9@timo01.tiwe.de>
• References: <[🔎] 161418459599.10705.14448975927820322636.reportbug@sid> <[🔎] 4789668.DiWh60cFF9@timo01.tiwe.de>

Den 24.02.2021 kl. 18.33 skrev Timo Weingärtner:
> Hallo Henrik Christian Grove,
> 
> 24.02.21 17:36 Henrik Christian Grove:

>> grove@stacey> ssh -i .ssh/privat_rsa 10.0.3.106 date
>> sid
>> grove@stacey> ssh -i .ssh/id_rsa 10.0.3.106 date
>> sid
> 
> Which key is accepted by the server? You can see that in either of:
> * ssh -v, search for "Server accepts key"
> * sshd log, search for "Accepted publickey for"
> 
> You may have the "wrong" key in your ssh-agent and you're not using 
> "IdentitiesOnly=yes".

Sorry, that's exactly it. I wasn't aware that the ssh client might use
another identities than the one specified by '-i'.

(This is the first time I've tried to close a bugreport in Debian, I
hope I've done it correctly.)

.Henrik

--- End Message ---