Re: RE: RE: Subsystem sftp invoked even though forced command created

Jochen Bern <Jochen.Bern@xxxxxxxxx> · Fri, 7 Jul 2023 14:27:55 +0200

On 06.07.23 23:37, MCMANUS, MICHAEL P wrote:> So changing the forced 
command as stated will break the application. I
would need to create a test bed to simulate the listener rather than
use the server as is, where is. That may produce false or misleading
results.
Since the forced command is tied to the specific keypair in the 
authorized_keys, you could
-- test with a different keypair or
-- use an additional 'from="..."' option to split the entry between your
   test client and the productive clients.

Oddly enough, the same behavior occurs when the embedded key is used
to launch an interactive sftp session from the host running the
legitimate client:

# sftp -i ${embeddedKey} ${user}@${host}
<Standard warning from /etc/issue.net>
Connected to ${host}.
sftp> ls
README              collectors          receive-data.ksh    tmp
sftp> ^D
So we can probably write off any idiosyncrasies of WinSCP and work only
with OpenSSH. Note there is no output from the script whatsoever.

In that case, let me repeat my quick test on one of our systems ... :

[root ~]# cat /etc/centos-release
CentOS Linux release 7.9.2009 (Core)
[root ~]# rpm -q openssh
openssh-7.4p1-22.el7_9.x86_64
[root ~]# tail -1 ~autoquest/.ssh/authorized_keys | sed -e 's/AAA.*/.../'
restrict,from="127.0.0.1",command="/bin/logger -t AutoHack" ssh-rsa ...
[root ~]# ssh-keygen -l -f /home/autoquest/.ssh/authorized_keys | tail -1
4096 SHA256:NSG4SRm/sLQxX4Xc5lQiMc3Q9S5j0Vavp7gu+voAwhI CNG-000121900000-010098-01 (RSA)
[root ~]# ssh-keygen -l -f /home/bongo/.ssh/*.pub
4096 SHA256:NSG4SRm/sLQxX4Xc5lQiMc3Q9S5j0Vavp7gu+voAwhI CNG-000121900000-010098-01 (RSA)
[root ~]# su -l -s /bin/bash bongo
[bongo ~]$ echo "foo bar baz" | sftp autoquest@127.0.0.1
[... confirm host keypair, output of /etc/issue.net ... then it just 
hangs ...]
^CKilled by signal 15.
[bongo ~]$ exit
logout
[root ~]# journalctl -t AutoHack
-- Logs begin at Thu 2023-06-22 11:07:33 CEST, end at Fri 2023-07-07 14:20:35 CEST. --
Jul 07 14:19:35 cng-000121900000-010098-01 AutoHack[15837]: 

... no SFTP login, but also no stdin being logged ...

Kind regards,
--
Jochen Bern
Systemingenieur

Binect GmbH
Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev