OpenSSH: Prevent globbing on SSH_ORIGINAL_COMMAND Announcing the arrival of Valued Associate...
How was Lagrange appointed professor of mathematics so early?
Kepler's 3rd law: ratios don't fit data
Can gravitational waves pass through a black hole?
lm and glm function in R
Can I ask an author to send me his ebook?
How to create a command for the "strange m" symbol in latex?
Raising a bilingual kid. When should we introduce the majority language?
Is Bran literally the world's memory?
How to ask rejected full-time candidates to apply to teach individual courses?
Pointing to problems without suggesting solutions
How to produce a PS1 prompt in bash or ksh93 similar to tcsh
What's the connection between Mr. Nancy and fried chicken?
What could prevent concentrated local exploration?
Should man-made satellites feature an intelligent inverted "cow catcher"?
Can I take recommendation from someone I met at a conference?
How to mute a string and play another at the same time
How is an IPA symbol that lacks a name (e.g. ɲ) called?
Is my guitar’s action too high?
How to keep bees out of canned beverages?
Providing direct feedback to a product salesperson
Proving inequality for positive definite matrix
Why is one lightbulb in a string illuminated?
If gravity precedes the formation of a solar system, where did the mass come from that caused the gravity?
Is it OK if I do not take the receipt in Germany?
OpenSSH: Prevent globbing on SSH_ORIGINAL_COMMAND
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)
2019 Community Moderator Election Results
Why I closed the “Why is Kali so hard” questionLinux Fedora Core 18 freezes on OpenSSH loginDetermine dynamically allocated port for OpenSSH RemoteForwardSMTP traffic being forwarded through SSH even do AllowTcpForwarding is disabledConfiguring an OpenSSH shell for any/every connecting usernameAutomate list files with ssh from Ubuntu to Windows(Openssh)SSH Tunneling not working properlyOpenSSH Server start failed with result 'timeout'SSH port forwarding via jump host, ssh_config files and ONLY “ssh targethost”Matching all files ending with a certain extension with a shell glob (say, all files ending with .sh)Is there a shorter equivalent to long/path/**/^*.(complex|pattern)~long/path/(bad-1|bad-2)/*(.) that doesn't require repeating long/path/?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I have the following setup where I use an OpenSSH server to remotely start a certain command using ssh.
My authorized_keys file has the following entry:
command="/path/to/script.sh $SSH_ORIGINAL_COMMAND",no-port-forwarding,no-x11-forwarding,no-agent-forwarding ssh-rsa AAAA…qGDf my_special_key
This means that if anyone connects using that key (e.g. by using ssh -i special_key_file user@server) the script script.sh gets executed on my server. Now there is also the $SSH_ORIGINAL_COMMAND placeholder which gets replaced by all the extra command line to the ssh command, i.e. ssh -i special_key_file user@server foobar means that the $1 will have foobar in it.
To test it I can make my script.sh look the following:
#!/bin/sh
printf '<%s>n' "$@"
Now for ssh -i special_key_file user@server 'foo bar' just like for ssh -i special_key_file user@server foo bar I will get the following same result:
<foo>
<bar>
Because of splitting. And if that wasn't bad enough, for ssh -i special_key_file user@server '*' I'm getting a file list:
<file1>
<file2>
…
So apparently the whole extra command line gets inserted into what is inside command= which is then run in a shell, with all the splitting and globing steps happening. And apparently I can't use " inside the command="…" part so I can't put $SSH_ORIGINAL_COMMAND inside double quotes to prevent that from happening. Is there any other solution for me?
BTW, as explained in this dismissed RFE to introduce a $SSH_ESCAPED_ORIGINAL_COMMAND the ssh protocol is party to blame as all the extra command line is transferred as one string. Still this is no reason to have a shell on the server side do all the splitting, especially if it then also does the glob expansion (I doubt that is ever useful here). Unlike the person who introduced that RFE I don't care about splitting for my use case, I just want no glob expansion.
Could a possible solution have to do with changing the shell environment OpenSSH uses for this task?
quoting wildcards openssh
asked Nov 20 '16 at 16:10
phkphk
4,10452257
add a comment |
I have the following setup where I use an OpenSSH server to remotely start a certain command using ssh.
My authorized_keys file has the following entry:
command="/path/to/script.sh $SSH_ORIGINAL_COMMAND",no-port-forwarding,no-x11-forwarding,no-agent-forwarding ssh-rsa AAAA…qGDf my_special_key
This means that if anyone connects using that key (e.g. by using ssh -i special_key_file user@server) the script script.sh gets executed on my server. Now there is also the $SSH_ORIGINAL_COMMAND placeholder which gets replaced by all the extra command line to the ssh command, i.e. ssh -i special_key_file user@server foobar means that the $1 will have foobar in it.
To test it I can make my script.sh look the following:
#!/bin/sh
printf '<%s>n' "$@"
Now for ssh -i special_key_file user@server 'foo bar' just like for ssh -i special_key_file user@server foo bar I will get the following same result:
<foo>
<bar>
Because of splitting. And if that wasn't bad enough, for ssh -i special_key_file user@server '*' I'm getting a file list:
<file1>
<file2>
…
So apparently the whole extra command line gets inserted into what is inside command= which is then run in a shell, with all the splitting and globing steps happening. And apparently I can't use " inside the command="…" part so I can't put $SSH_ORIGINAL_COMMAND inside double quotes to prevent that from happening. Is there any other solution for me?
BTW, as explained in this dismissed RFE to introduce a $SSH_ESCAPED_ORIGINAL_COMMAND the ssh protocol is party to blame as all the extra command line is transferred as one string. Still this is no reason to have a shell on the server side do all the splitting, especially if it then also does the glob expansion (I doubt that is ever useful here). Unlike the person who introduced that RFE I don't care about splitting for my use case, I just want no glob expansion.
Could a possible solution have to do with changing the shell environment OpenSSH uses for this task?
quoting wildcards openssh
asked Nov 20 '16 at 16:10
phkphk
4,10452257
add a comment |
I have the following setup where I use an OpenSSH server to remotely start a certain command using ssh.
My authorized_keys file has the following entry:
command="/path/to/script.sh $SSH_ORIGINAL_COMMAND",no-port-forwarding,no-x11-forwarding,no-agent-forwarding ssh-rsa AAAA…qGDf my_special_key
This means that if anyone connects using that key (e.g. by using ssh -i special_key_file user@server) the script script.sh gets executed on my server. Now there is also the $SSH_ORIGINAL_COMMAND placeholder which gets replaced by all the extra command line to the ssh command, i.e. ssh -i special_key_file user@server foobar means that the $1 will have foobar in it.
To test it I can make my script.sh look the following:
#!/bin/sh
printf '<%s>n' "$@"
Now for ssh -i special_key_file user@server 'foo bar' just like for ssh -i special_key_file user@server foo bar I will get the following same result:
<foo>
<bar>
Because of splitting. And if that wasn't bad enough, for ssh -i special_key_file user@server '*' I'm getting a file list:
<file1>
<file2>
…
So apparently the whole extra command line gets inserted into what is inside command= which is then run in a shell, with all the splitting and globing steps happening. And apparently I can't use " inside the command="…" part so I can't put $SSH_ORIGINAL_COMMAND inside double quotes to prevent that from happening. Is there any other solution for me?
BTW, as explained in this dismissed RFE to introduce a $SSH_ESCAPED_ORIGINAL_COMMAND the ssh protocol is party to blame as all the extra command line is transferred as one string. Still this is no reason to have a shell on the server side do all the splitting, especially if it then also does the glob expansion (I doubt that is ever useful here). Unlike the person who introduced that RFE I don't care about splitting for my use case, I just want no glob expansion.
Could a possible solution have to do with changing the shell environment OpenSSH uses for this task?
quoting wildcards openssh
asked Nov 20 '16 at 16:10
phkphk
4,10452257
I have the following setup where I use an OpenSSH server to remotely start a certain command using ssh.
My authorized_keys file has the following entry:
command="/path/to/script.sh $SSH_ORIGINAL_COMMAND",no-port-forwarding,no-x11-forwarding,no-agent-forwarding ssh-rsa AAAA…qGDf my_special_key
This means that if anyone connects using that key (e.g. by using ssh -i special_key_file user@server) the script script.sh gets executed on my server. Now there is also the $SSH_ORIGINAL_COMMAND placeholder which gets replaced by all the extra command line to the ssh command, i.e. ssh -i special_key_file user@server foobar means that the $1 will have foobar in it.
To test it I can make my script.sh look the following:
#!/bin/sh
printf '<%s>n' "$@"
Now for ssh -i special_key_file user@server 'foo bar' just like for ssh -i special_key_file user@server foo bar I will get the following same result:
<foo>
<bar>
Because of splitting. And if that wasn't bad enough, for ssh -i special_key_file user@server '*' I'm getting a file list:
<file1>
<file2>
…
So apparently the whole extra command line gets inserted into what is inside command= which is then run in a shell, with all the splitting and globing steps happening. And apparently I can't use " inside the command="…" part so I can't put $SSH_ORIGINAL_COMMAND inside double quotes to prevent that from happening. Is there any other solution for me?
BTW, as explained in this dismissed RFE to introduce a $SSH_ESCAPED_ORIGINAL_COMMAND the ssh protocol is party to blame as all the extra command line is transferred as one string. Still this is no reason to have a shell on the server side do all the splitting, especially if it then also does the glob expansion (I doubt that is ever useful here). Unlike the person who introduced that RFE I don't care about splitting for my use case, I just want no glob expansion.
Could a possible solution have to do with changing the shell environment OpenSSH uses for this task?
quoting wildcards openssh
quoting wildcards openssh
asked Nov 20 '16 at 16:10
phkphk
4,10452257
asked Nov 20 '16 at 16:10
phkphk
4,10452257
edited Nov 20 '16 at 16:26
phk
asked Nov 20 '16 at 16:10
phkphk
4,10452257
asked Nov 20 '16 at 16:10
phkphk
4,10452257
asked Nov 20 '16 at 16:10
phkphk
4,10452257
4,10452257
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
Use quotes:
cat bin/script.sh
#!/bin/sh
printf '<%s>n' "$@"
command="/home/user/bin/script.sh "${SSH_ORIGINAL_COMMAND}"" ssh-rsa AA...
ssh -i .ssh/id_rsa.special hamilton '*'
<*>
ssh -i .ssh/id_rsa.special hamilton 'foo bar'
<foo bar>
But also you will get:
ssh -i .ssh/id_rsa.special hamilton '*' 'foo bar'
<* foo bar>
Not sure is it a problem for you or not.
And I was confused about:
And apparently I can't use " inside the command="…"
I thought it's kind of limitation in your task so deleted my answer.
I'm glad my answer helped you with your task!
answered Nov 20 '16 at 16:52
Fedor DikarevFedor Dikarev
1,103310
add a comment |
There should be no need to put $SSH_ORIGINAL_COMMAND on the command line at all. It's available as an environment variable to /path/to/script.sh. That would automatically remove one level of shell-evaluation.
Also, if you don't want your shell to expand any glob characters, consider writing script.sh in some language that isn't a shell such as perl/python/ruby/etc. Non-shell languages will only perform glob/file expansion when explicitly instructed to. But that might not be necessary if it obtains the value of $SSH_ORIGINAL_COMMAND directly from the environment rather than having it passed to it via the command line.
answered 3 hours ago
rafraf
11
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f324727%2fopenssh-prevent-globbing-on-ssh-original-command%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Use quotes:
cat bin/script.sh
#!/bin/sh
printf '<%s>n' "$@"
command="/home/user/bin/script.sh "${SSH_ORIGINAL_COMMAND}"" ssh-rsa AA...
ssh -i .ssh/id_rsa.special hamilton '*'
<*>
ssh -i .ssh/id_rsa.special hamilton 'foo bar'
<foo bar>
But also you will get:
ssh -i .ssh/id_rsa.special hamilton '*' 'foo bar'
<* foo bar>
Not sure is it a problem for you or not.
And I was confused about:
And apparently I can't use " inside the command="…"
I thought it's kind of limitation in your task so deleted my answer.
I'm glad my answer helped you with your task!
answered Nov 20 '16 at 16:52
Fedor DikarevFedor Dikarev
1,103310
add a comment |
Use quotes:
cat bin/script.sh
#!/bin/sh
printf '<%s>n' "$@"
command="/home/user/bin/script.sh "${SSH_ORIGINAL_COMMAND}"" ssh-rsa AA...
ssh -i .ssh/id_rsa.special hamilton '*'
<*>
ssh -i .ssh/id_rsa.special hamilton 'foo bar'
<foo bar>
But also you will get:
ssh -i .ssh/id_rsa.special hamilton '*' 'foo bar'
<* foo bar>
Not sure is it a problem for you or not.
And I was confused about:
And apparently I can't use " inside the command="…"
I thought it's kind of limitation in your task so deleted my answer.
I'm glad my answer helped you with your task!
answered Nov 20 '16 at 16:52
Fedor DikarevFedor Dikarev
1,103310
add a comment |
Use quotes:
cat bin/script.sh
#!/bin/sh
printf '<%s>n' "$@"
command="/home/user/bin/script.sh "${SSH_ORIGINAL_COMMAND}"" ssh-rsa AA...
ssh -i .ssh/id_rsa.special hamilton '*'
<*>
ssh -i .ssh/id_rsa.special hamilton 'foo bar'
<foo bar>
But also you will get:
ssh -i .ssh/id_rsa.special hamilton '*' 'foo bar'
<* foo bar>
Not sure is it a problem for you or not.
And I was confused about:
And apparently I can't use " inside the command="…"
I thought it's kind of limitation in your task so deleted my answer.
I'm glad my answer helped you with your task!
answered Nov 20 '16 at 16:52
Fedor DikarevFedor Dikarev
1,103310
Use quotes:
cat bin/script.sh
#!/bin/sh
printf '<%s>n' "$@"
command="/home/user/bin/script.sh "${SSH_ORIGINAL_COMMAND}"" ssh-rsa AA...
ssh -i .ssh/id_rsa.special hamilton '*'
<*>
ssh -i .ssh/id_rsa.special hamilton 'foo bar'
<foo bar>
But also you will get:
ssh -i .ssh/id_rsa.special hamilton '*' 'foo bar'
<* foo bar>
Not sure is it a problem for you or not.
And I was confused about:
And apparently I can't use " inside the command="…"
I thought it's kind of limitation in your task so deleted my answer.
I'm glad my answer helped you with your task!
answered Nov 20 '16 at 16:52
Fedor DikarevFedor Dikarev
1,103310
edited Nov 20 '16 at 19:10
answered Nov 20 '16 at 16:52
Fedor DikarevFedor Dikarev
1,103310
answered Nov 20 '16 at 16:52
Fedor DikarevFedor Dikarev
1,103310
answered Nov 20 '16 at 16:52
Fedor DikarevFedor Dikarev
1,103310
1,103310
add a comment |
add a comment |
There should be no need to put $SSH_ORIGINAL_COMMAND on the command line at all. It's available as an environment variable to /path/to/script.sh. That would automatically remove one level of shell-evaluation.
Also, if you don't want your shell to expand any glob characters, consider writing script.sh in some language that isn't a shell such as perl/python/ruby/etc. Non-shell languages will only perform glob/file expansion when explicitly instructed to. But that might not be necessary if it obtains the value of $SSH_ORIGINAL_COMMAND directly from the environment rather than having it passed to it via the command line.
answered 3 hours ago
rafraf
11
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
There should be no need to put $SSH_ORIGINAL_COMMAND on the command line at all. It's available as an environment variable to /path/to/script.sh. That would automatically remove one level of shell-evaluation.
Also, if you don't want your shell to expand any glob characters, consider writing script.sh in some language that isn't a shell such as perl/python/ruby/etc. Non-shell languages will only perform glob/file expansion when explicitly instructed to. But that might not be necessary if it obtains the value of $SSH_ORIGINAL_COMMAND directly from the environment rather than having it passed to it via the command line.
answered 3 hours ago
rafraf
11
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
There should be no need to put $SSH_ORIGINAL_COMMAND on the command line at all. It's available as an environment variable to /path/to/script.sh. That would automatically remove one level of shell-evaluation.
Also, if you don't want your shell to expand any glob characters, consider writing script.sh in some language that isn't a shell such as perl/python/ruby/etc. Non-shell languages will only perform glob/file expansion when explicitly instructed to. But that might not be necessary if it obtains the value of $SSH_ORIGINAL_COMMAND directly from the environment rather than having it passed to it via the command line.
answered 3 hours ago
rafraf
11
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
There should be no need to put $SSH_ORIGINAL_COMMAND on the command line at all. It's available as an environment variable to /path/to/script.sh. That would automatically remove one level of shell-evaluation.
Also, if you don't want your shell to expand any glob characters, consider writing script.sh in some language that isn't a shell such as perl/python/ruby/etc. Non-shell languages will only perform glob/file expansion when explicitly instructed to. But that might not be necessary if it obtains the value of $SSH_ORIGINAL_COMMAND directly from the environment rather than having it passed to it via the command line.
answered 3 hours ago
rafraf
11
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 3 hours ago
rafraf
11
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 3 hours ago
rafraf
11
answered 3 hours ago
rafraf
11
11
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f324727%2fopenssh-prevent-globbing-on-ssh-original-command%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
