Re: RE: RE: Subsystem sftp invoked even though forced command created

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


On 06.07.23 23:37, MCMANUS, MICHAEL P wrote:> So changing the forced command as stated will break the application. I
would need to create a test bed to simulate the listener rather than
use the server as is, where is. That may produce false or misleading
Since the forced command is tied to the specific keypair in the authorized_keys, you could
-- test with a different keypair or
-- use an additional 'from="..."' option to split the entry between your
   test client and the productive clients.

Oddly enough, the same behavior occurs when the embedded key is used
to launch an interactive sftp session from the host running the
legitimate client:

# sftp -i ${embeddedKey} ${user}@${host}
<Standard warning from /etc/>
Connected to ${host}.
sftp> ls
README              collectors          receive-data.ksh    tmp
sftp> ^D
So we can probably write off any idiosyncrasies of WinSCP and work only
with OpenSSH. Note there is no output from the script whatsoever.

In that case, let me repeat my quick test on one of our systems ... :

[root ~]# cat /etc/centos-release
CentOS Linux release 7.9.2009 (Core)
[root ~]# rpm -q openssh
[root ~]# tail -1 ~autoquest/.ssh/authorized_keys | sed -e 's/AAA.*/.../'
restrict,from="",command="/bin/logger -t AutoHack" ssh-rsa ...
[root ~]# ssh-keygen -l -f /home/autoquest/.ssh/authorized_keys | tail -1
4096 SHA256:NSG4SRm/sLQxX4Xc5lQiMc3Q9S5j0Vavp7gu+voAwhI CNG-000121900000-010098-01 (RSA)
[root ~]# ssh-keygen -l -f /home/bongo/.ssh/*.pub
4096 SHA256:NSG4SRm/sLQxX4Xc5lQiMc3Q9S5j0Vavp7gu+voAwhI CNG-000121900000-010098-01 (RSA)
[root ~]# su -l -s /bin/bash bongo
[bongo ~]$ echo "foo bar baz" | sftp autoquest@
[... confirm host keypair, output of /etc/ ... then it just hangs ...]
^CKilled by signal 15.
[bongo ~]$ exit
[root ~]# journalctl -t AutoHack
-- Logs begin at Thu 2023-06-22 11:07:33 CEST, end at Fri 2023-07-07 14:20:35 CEST. --
Jul 07 14:19:35 cng-000121900000-010098-01 AutoHack[15837]:

... no SFTP login, but also no stdin being logged ...

Kind regards,
Jochen Bern

Binect GmbH

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

openssh-unix-dev mailing list

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux