Ssh – OpenSSH: Prevent globbing on SSH_ORIGINAL_COMMAND

opensshquotingwildcards

I have the following setup where I use an OpenSSH server to remotely start a certain command using ssh.

My authorized_keys file has the following entry:

command="/path/to/script.sh $SSH_ORIGINAL_COMMAND",no-port-forwarding,no-x11-forwarding,no-agent-forwarding ssh-rsa AAAA…qGDf my_special_key

This means that if anyone connects using that key (e.g. by using ssh -i special_key_file user@server) the script script.sh gets executed on my server. Now there is also the $SSH_ORIGINAL_COMMAND placeholder which gets replaced by all the extra command line to the ssh command, i.e. ssh -i special_key_file user@server foobar means that the $1 will have foobar in it.

To test it I can make my script.sh look the following:

#!/bin/sh
printf '<%s>\n' "$@"

Now for ssh -i special_key_file user@server 'foo bar' just like for ssh -i special_key_file user@server foo bar I will get the following same result:

<foo>
<bar>

Because of splitting. And if that wasn't bad enough, for ssh -i special_key_file user@server '*' I'm getting a file list:

<file1>
<file2>
…

So apparently the whole extra command line gets inserted into what is inside command= which is then run in a shell, with all the splitting and globing steps happening. And apparently I can't use " inside the command="…" part so I can't put $SSH_ORIGINAL_COMMAND inside double quotes to prevent that from happening. Is there any other solution for me?

BTW, as explained in this dismissed RFE to introduce a $SSH_ESCAPED_ORIGINAL_COMMAND the ssh protocol is party to blame as all the extra command line is transferred as one string. Still this is no reason to have a shell on the server side do all the splitting, especially if it then also does the glob expansion (I doubt that is ever useful here). Unlike the person who introduced that RFE I don't care about splitting for my use case, I just want no glob expansion.

Could a possible solution have to do with changing the shell environment OpenSSH uses for this task?

Best Answer

Use quotes:

cat bin/script.sh
#!/bin/sh
printf '<%s>\n' "$@"

command="/home/user/bin/script.sh \"${SSH_ORIGINAL_COMMAND}\"" ssh-rsa AA...

ssh -i .ssh/id_rsa.special hamilton '*'
<*>
ssh -i .ssh/id_rsa.special hamilton 'foo bar'
<foo bar>

But also you will get:

ssh -i .ssh/id_rsa.special hamilton '*' 'foo bar'
<* foo bar>

Not sure is it a problem for you or not.

And I was confused about:

And apparently I can't use " inside the command="…"

I thought it's kind of limitation in your task so deleted my answer.
I'm glad my answer helped you with your task!

Related Solutions

Shell – Determine dynamically allocated port for OpenSSH RemoteForward

Unfortunately I didn't find your question earlier, but I've just got a really good answer from kamil-maciorowski:

https://unix.stackexchange.com/a/584505/251179

In summary, establish a master connection first, keep that in the background, then issue a second command with -O *ctl_cmd* set to forward to request/setup port forwarding:

ssh -fNMS /path/to/socket user@server

port="$(ssh -S /path/to/socket -O forward -R 0:localhost:22 placeholder)"

This will give you $port on your local machine, and a connection in the background.

You can then use $port locally; or use ssh again to run a command on the remote server, where you can use the same control socket.

As to the flags, these are:

-f = Requests ssh to go to background.
-N = Do not execute a remote command.
-M = Places client into “master” mode, for connection sharing.
-S = Location of a control socket for connection sharing.
-O = Control an active connection multiplexing master process.

In my case I've added a bit more to keep checking the connection:

#!/bin/bash

#--------------------------------------------------
# Setup
#--------------------------------------------------

  set -u;

  tunnel_user="user";
  tunnel_host="1.1.1.1";

  local_port="22";
  local_name="my-name";

  path_key="$HOME/.ssh/tunnel_ed25519";

  path_lock="/tmp/tunnel.${tunnel_host}.pid"
  path_port="/tmp/tunnel.${tunnel_host}.port"
  path_log="/tmp/tunnel.${tunnel_host}.log"
  path_socket="/tmp/tunnel.${tunnel_host}.socket"

#--------------------------------------------------
# Key file
#--------------------------------------------------

  if [ ! -f "${path_key}" ]; then

    ssh-keygen -q -t ed25519 -f "${path_key}" -N "";

    /usr/local/bin/tunnel-client-key.sh
      # Sends the public key to a central server, also run via cron, so it can be added to ~/.ssh/authorized_keys
      # curl -s --form-string "pass=${pass}" --form-string "name=$(local_name)" -F "key=@${path_key}.pub" "https://example.com/key/";

  fi

#--------------------------------------------------
# Lock
#--------------------------------------------------

  if [ -e "${path_lock}" ]; then
    c=$(pgrep -F "${path_lock}" 2>/dev/null | wc -l);
      # MacOS 10.15.4 does not support "-c" to count processes, or the full "--pidfile" flag.
  else
    c=0;
  fi

  if [[ "${c}" -gt 0 ]]; then
    if tty -s; then
      echo "Already running";
    fi;
    exit;
  fi;

  echo "$$" > "${path_lock}";

#--------------------------------------------------
# Port forward
#--------------------------------------------------

  retry=0;

  while true; do

    #--------------------------------------------------
    # Log cleanup
    #--------------------------------------------------

      if [ ! -f "${path_log}" ]; then
        touch "${path_log}";
      fi

      tail -n 30 "${path_log}" > "${path_log}.tmp";

      mv "${path_log}.tmp" "${path_log}";

    #--------------------------------------------------
    # Exit old sockets
    #--------------------------------------------------

      if [ -S "${path_socket}" ]; then

        echo "$(date) : Exit" >> "${path_log}";

        ssh -S "${path_socket}" -O exit placeholder;

      fi

    #--------------------------------------------------
    # Lost lock
    #--------------------------------------------------

      if [ ! -e "${path_lock}" ] || ! grep -q "$$" "${path_lock}"; then

        echo "$(date) : Lost Lock" >> "${path_log}";

        exit;

      fi

    #--------------------------------------------------
    # Master connection
    #--------------------------------------------------

      echo "$(date) : Connect ${retry}" >> "${path_log}";

      ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 -o ServerAliveInterval=30 -o ExitOnForwardFailure=yes -fNTMS "${path_socket}" -i "${path_key}" "${tunnel_user}@${tunnel_host}" >> "${path_log}" 2>&1;

    #--------------------------------------------------
    # Setup and keep checking the port forwarding
    #--------------------------------------------------

      old_port=0;

      while ssh -S "${path_socket}" -O check placeholder 2>/dev/null; do

        new_port=$(ssh -S "${path_socket}" -O forward -R "0:localhost:${local_port}" placeholder 2>&1);

        if [[ "${new_port}" -gt 0 ]]; then

          retry=0;

          if [[ "${new_port}" -ne "${old_port}" ]]; then

            ssh -i "${path_key}" "${tunnel_user}@${tunnel_host}" "tunnel.port.sh '${new_port}' '${local_name}'" >> "${path_log}" 2>&1;
              # Tell remote server what the port is, and local_name.
              # Don't use socket, it used "-N"; if done, a lost connection keeps sshd running on the remote host, even with ClientAliveInterval/ClientAliveCountMax.

            echo "$(date) : ${new_port}" >> "${path_log}";

            echo "${new_port}" > "${path_port}";

            old_port="${new_port}";

            sleep 1;

          else

            sleep 300; # Looks good, check again in 5 minutes.

          fi

        else # Not a valid port number (0, empty string, number followed by an error message, etc?)

          ssh -S "${path_socket}" -O exit placeholder 2>/dev/null;

        fi

      done

    #--------------------------------------------------
    # Cleanup
    #--------------------------------------------------

      if [ ! -f "${path_port}" ]; then
        rm "${path_port}";
      fi

      echo "$(date) : Disconnected" >> "${path_log}";

    #--------------------------------------------------
    # Delay before next re-try
    #--------------------------------------------------

      retry=$((retry+1));

      if [[ $retry -gt 10 ]]; then
        sleep 180; # Too many connection failures, try again in 3 minutes
      else
        sleep 5;
      fi

  done

Best Answer

Related Solutions

Shell – Determine dynamically allocated port for OpenSSH RemoteForward

Related Question