Hi Dominik, Thanks for your reply, but I'm not sure I've properly explained what I mean. In essence, from what I can see, it isn't just executing the forced command for the key that is being used, it executes the commands for *every* RSA key in the authorized_keys file, meaning I get hundreds of commands being run for each login. The program is itself checking the $SSH_ORIGINAL_KEY. Hope this explains it better. —Oliver On 22 January 2011 09:43, Dominik George <nik@xxxxxxxxxxxxx> wrote: > Hi Oliver, > > this is essentially the point of the forced commands. SSH will execute > them, no matter what the client actually provides as a command. > > If you instead want to jsut verify if the command is allowed, you will > need a wrapper script as forced command that checks the > $SSH_ORIGINAL_COMMAND environment variable and then decides what to do. > > Again, the forced-commands-only is for forcing a command, not for > verifying it. > > -nik > >> Hi there, >> >> I am having a very strange problem with SSH. Essentially, I'm using >> forced commands to restrict access based on public key (there are >> around 2000 public keys). It appears to work okay, but when I look at >> the ssh -v output I see that the client/server is actually executing >> all the forced commands for RSA keys (I am connecting with an RSA key) >> until it "hits" my key. >> >> Anyone have any idea why this is happening? I have no clue where to >> even look for hints as to what would cause this… >> >> Here's an example of the output I am seeing (condensed, the real >> output is ~3000 lines): >> >> OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009 >> debug1: Authentication succeeded (publickey). >> debug2: fd 5 setting O_NONBLOCK >> debug2: fd 6 setting O_NONBLOCK >> debug1: channel 0: new [client-session] >> debug3: ssh_session2_open: channel_new: 0 >> debug2: channel 0: send open >> debug1: Requesting no-more-sessions@xxxxxxxxxxx >> debug1: Entering interactive session. >> debug1: Remote: Forced command: gitosis-serve osjokine >> debug1: Remote: Port forwarding disabled. >> debug1: Remote: X11 forwarding disabled. >> debug1: Remote: Agent forwarding disabled. >> debug1: Remote: Pty allocation disabled. >> [... hundreds more like this ...] >> debug1: Remote: Forced command: gitosis-serve obeattie >> debug1: Remote: Port forwarding disabled. >> debug1: Remote: X11 forwarding disabled. >> debug1: Remote: Agent forwarding disabled. >> debug1: Remote: Pty allocation disabled. >> debug1: Remote: Forced command: gitosis-serve osjokine >> debug1: Remote: Port forwarding disabled. >> debug1: Remote: X11 forwarding disabled. >> debug1: Remote: Agent forwarding disabled. >> debug1: Remote: Pty allocation disabled. >> [... hundreds more again ...] >> debug1: Remote: Forced command: gitosis-serve obeattie >> debug1: Remote: Port forwarding disabled. >> debug1: Remote: X11 forwarding disabled. >> debug1: Remote: Agent forwarding disabled. >> debug1: Remote: Pty allocation disabled. >> debug2: callback start >> >> —Oliver >> > > >
