Package: ssh Version: 3.4p1-1.woody.3 Severity: normal Tags: woody On a server running the 3.4p1-1.woody.3 sshd, the sshd_config option "forced-commands-only" doesn't work as documented in the man page. The connection is established, and breaks down immediately afterwards.
This is sshd -d output: debug1: sshd version OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 212.126.220.202 port 3603 debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3 debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-cbc hmac-md5 none debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: dh_gen_key: priv key bits set: 121/256 debug1: bits set: 1627/3191 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: bits set: 1650/3191 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user root service ssh-connection method none debug1: attempt 0 failures 0 debug1: Starting up PAM with username "root" debug1: PAM setting rhost to "q.bofh.de" Failed none for root from 212.126.220.202 port 3603 ssh2 Failed none for root from 212.126.220.202 port 3603 ssh2 debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt 1 failures 1 debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 0/0 (e=0) debug1: trying public key file /root/.ssh/authorized_keys debug1: matching key found: file /root/.ssh/authorized_keys, line 2 Found matching RSA key: 13:bf:4c:79:05:b8:11:a1:42:ff:58:67:6c:66:7c:9b debug1: restore_uid Postponed publickey for root from 212.126.220.202 port 3603 ssh2 debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt 2 failures 1 debug1: temporarily_use_uid: 0/0 (e=0) debug1: trying public key file /root/.ssh/authorized_keys debug1: matching key found: file /root/.ssh/authorized_keys, line 2 Found matching RSA key: 13:bf:4c:79:05:b8:11:a1:42:ff:58:67:6c:66:7c:9b debug1: restore_uid debug1: ssh_rsa_verify: signature correct ROOT LOGIN REFUSED FROM 212.126.220.202 Failed publickey for root from 212.126.220.202 port 3603 ssh2 Root login accepted for forced command. Accepted publickey for root from 212.126.220.202 port 3603 ssh2 debug1: monitor_child_preauth: root has been authenticated by privileged process debug1: userauth-request for user root service ssh-connection method keyboard-interactive debug1: attempt 3 failures 2 debug1: keyboard-interactive devs debug1: auth2_challenge: user=root devs= debug1: kbdint_alloc: devices '' Failed keyboard-interactive for root from 212.126.220.202 port 3603 ssh2 Connection closed by 212.126.220.202 debug1: Calling cleanup 0x806be5c(0x0) debug1: Calling cleanup 0x8052b48(0x0) debug1: Calling cleanup 0x806be5c(0x0) This happens no matter whether the client is debian stable or debian unstable. A backport of sid's 3.8.1p1-4 installed as sshd works fine. When I compare the sshd -d output with the one of the backport, I notice that the strange "ROOT LOGIN REFUSED" message two lines before "Root login accepted for forced command" has vanished: debug1: sshd version OpenSSH_3.8.1p1 Debian 1:3.8.1p1-3+4zg1 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA socket: Address family not supported by protocol debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 212.126.220.202 port 3570 debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3 debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.8.1p1 Debian 1:3.8.1p1-3+4zg1 debug1: permanently_set_uid: 101/65534 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-cbc hmac-md5 none debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user root service ssh-connection method none debug1: attempt 0 failures 0 Failed none for root from 212.126.220.202 port 3570 ssh2 debug1: PAM: initializing for "root" debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt 1 failures 1 debug1: test whether pkalg/pkblob are acceptable debug1: PAM: setting PAM_RHOST to "q.bofh.de" debug1: PAM: setting PAM_TTY to "ssh" debug1: temporarily_use_uid: 0/0 (e=0/0) debug1: trying public key file /root/.ssh/authorized_keys debug1: matching key found: file /root/.ssh/authorized_keys, line 2 Found matching RSA key: 13:bf:4c:79:05:b8:11:a1:42:ff:58:67:6c:66:7c:9b debug1: restore_uid: 0/0 Postponed publickey for root from 212.126.220.202 port 3570 ssh2 debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt 2 failures 1 debug1: temporarily_use_uid: 0/0 (e=0/0) debug1: trying public key file /root/.ssh/authorized_keys debug1: matching key found: file /root/.ssh/authorized_keys, line 2 Found matching RSA key: 13:bf:4c:79:05:b8:11:a1:42:ff:58:67:6c:66:7c:9b debug1: restore_uid: 0/0 debug1: ssh_rsa_verify: signature correct Root login accepted for forced command. Root login accepted for forced command. Accepted publickey for root from 212.126.220.202 port 3570 ssh2 Accepted publickey for root from 212.126.220.202 port 3570 ssh2 debug1: monitor_child_preauth: root has been authenticated by privileged process debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 131072 max 32768 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request exec reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req exec debug1: Forced command '/home/mh/echooriginal' debug1: PAM: establishing credentials debug1: Received SIGCHLD. debug1: session_by_pid: pid 29575 debug1: session_exit_message: session 0 channel 0 pid 29575 debug1: session_exit_message: release channel 0 debug1: session_close: session 0 pid 29575 debug1: channel 0: free: server-session, nchannels 1 Connection closed by 212.126.220.202 debug1: do_cleanup debug1: PAM: cleanup Closing connection to 212.126.220.202 debug1: PAM: cleanup Is this a bug in openssh 3.4? Any workaround? I'd hate to have to work with a backported 3.8 on production systems. This is why I report this bug against woody, tagged appropriately. Greetings Marc -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.4.26-zgserver Locale: LANG=C, LC_CTYPE=C Versions of packages ssh depends on: ii adduser 3.56 Add and remove users and groups ii debconf 1.4.25 Debian configuration management sy ii dpkg 1.10.22 Package maintenance system for Deb ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an ii libpam-modules 0.76-21 Pluggable Authentication Modules f ii libpam-runtime 0.76-21 Runtime support for the PAM librar ii libpam0g 0.76-21 Pluggable Authentication Modules l ii libssl0.9.7 0.9.7d-3 SSL shared libraries ii libwrap0 7.6.dbs-4 Wietse Venema's TCP wrappers libra ii zlib1g 1:1.2.1.1-3 compression library - runtime -- debconf information excluded
