LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-17-2015, 08:06 PM   #1
benjam1nrk
LQ Newbie
 
Registered: Mar 2010
Distribution: CentOS
Posts: 24

Rep: Reputation: 1
Unhappy SSH ForceCommand


I am in the process of migrating from a Centos 5 to Centos 6 server. I have duo two factor authentication working on my original server via the ForceCommand parameter in my sshd_config file. SSH login prompts for password and immediately pushed duo authentication to phone.

On my new server, it appears the .bashrc file is executed before ForceCommand, as I migrated my .bashrc from original server to new server. This was not the case previously.

How do I force the ForceCommand to run before any profile dependent .bashrc's?

Thank you.
 
Old 04-19-2015, 05:39 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530
Quote:
Originally Posted by benjam1nrk View Post
On my new server, it appears the .bashrc file is executed before ForceCommand, as I migrated my .bashrc from original server to new server. This was not the case previously.
Took some time finding out but here's how / why:
Code:
]$ wget http://ftp.redhat.com/redhat/linux/enterprise/6Server/en/os/SRPMS/bash-4.1.2-29.el6.src.rpm

]$ rpm2cpio bash-4.1.2-29.el6.src.rpm | cpio -idmv

]$ grep SSH_SOURCE_BASHRC -nr .
./bash-4.1/shell.c:1010:#ifdef SSH_SOURCE_BASHRC
./bash-4.1/config-top.h:91:/* #define SSH_SOURCE_BASHRC */
./bash-4.1/variables.c:570:      * I've made that behavior conditional on SSH_SOURCE_BASHRC being defined
./bash-4.1/CHANGES:3201:    run the startup files.  If the SSH_SOURCE_BASHRC is uncommented in
./bash.spec:583:- Enabling #define SSH_SOURCE_BASHRC, because ssh changed.
./bash-3.2-ssh_source_bash.patch:8:-/* #define SSH_SOURCE_BASHRC */
./bash-3.2-ssh_source_bash.patch:9:+#define SSH_SOURCE_BASHRC

]$ grep -A1 SSH_SOURCE_BASHRC bash.spec 
- Enabling #define SSH_SOURCE_BASHRC, because ssh changed.
  Resolves: #458839

]$ xdg-open "https://bugzilla.redhat.com/show_bug.cgi?id=458839"
...and there you have it. Well, the cause at least.


Quote:
Originally Posted by benjam1nrk View Post
How do I force the ForceCommand to run before any profile dependent .bashrc's?
Three options in no particular order and without any regard for feasibility:
0) set the users shell to Something Completely Different that has no profile customizations (and use an alias or function to switch over to BASH),
1) recompile BASH and don't define SSH_SOURCE_BASHRC (which causes problems for your systems as this is now expected behaviour plus you'll spend more time maintaining as you have to recompile BASH each time its released) or
2) avoid sourcing profile-dependent stuff when running non-interactive ('bash -c') shell: see "INVOCATION" chapter in 'man bash' on what you need to do.

*I learned to avoid customizing ~/.bash* stuff long time ago and on login I manually source aliases from a non-~/.bash* file name. What may look like an extra step to some means more control to me...
 
Old 04-19-2015, 02:38 PM   #3
benjam1nrk
LQ Newbie
 
Registered: Mar 2010
Distribution: CentOS
Posts: 24

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by unSpawn View Post
Took some time finding out but here's how / why:
Code:
]$ wget http://ftp.redhat.com/redhat/linux/enterprise/6Server/en/os/SRPMS/bash-4.1.2-29.el6.src.rpm

]$ rpm2cpio bash-4.1.2-29.el6.src.rpm | cpio -idmv

]$ grep SSH_SOURCE_BASHRC -nr .
./bash-4.1/shell.c:1010:#ifdef SSH_SOURCE_BASHRC
./bash-4.1/config-top.h:91:/* #define SSH_SOURCE_BASHRC */
./bash-4.1/variables.c:570:      * I've made that behavior conditional on SSH_SOURCE_BASHRC being defined
./bash-4.1/CHANGES:3201:    run the startup files.  If the SSH_SOURCE_BASHRC is uncommented in
./bash.spec:583:- Enabling #define SSH_SOURCE_BASHRC, because ssh changed.
./bash-3.2-ssh_source_bash.patch:8:-/* #define SSH_SOURCE_BASHRC */
./bash-3.2-ssh_source_bash.patch:9:+#define SSH_SOURCE_BASHRC

]$ grep -A1 SSH_SOURCE_BASHRC bash.spec 
- Enabling #define SSH_SOURCE_BASHRC, because ssh changed.
  Resolves: #458839

]$ xdg-open "https://bugzilla.redhat.com/show_bug.cgi?id=458839"
...and there you have it. Well, the cause at least.



Three options in no particular order and without any regard for feasibility:
0) set the users shell to Something Completely Different that has no profile customizations (and use an alias or function to switch over to BASH),
1) recompile BASH and don't define SSH_SOURCE_BASHRC (which causes problems for your systems as this is now expected behaviour plus you'll spend more time maintaining as you have to recompile BASH each time its released) or
2) avoid sourcing profile-dependent stuff when running non-interactive ('bash -c') shell: see "INVOCATION" chapter in 'man bash' on what you need to do.

*I learned to avoid customizing ~/.bash* stuff long time ago and on login I manually source aliases from a non-~/.bash* file name. What may look like an extra step to some means more control to me...

I appreciate you taking the time to investigate, I probably would have driven myself to some degree of insanity trying to resolve.

At the end of the day, it sounds as though the ForceCommand may no longer be the best method to utilize Duo, will most likely switch to the pam module implementation.

It seems as though changing the ForceCommand implementation between releases creates somewhat of an exploitable hole, as any user with authority to modify his .bashrc file can run a custom command preceding the one specified in the ForceCommand parameter.
 
Old 04-19-2015, 04:11 PM   #4
joe_2000
Member
 
Registered: Jul 2012
Location: Aachen, Germany
Distribution: Void, Debian
Posts: 808

Rep: Reputation: 216Reputation: 216Reputation: 216
Quote:
Originally Posted by unSpawn View Post
*I learned to avoid customizing ~/.bash* stuff long time ago and on login I manually source aliases from a non-~/.bash* file name. What may look like an extra step to some means more control to me...
I'd be interested to understand the benefits of this approach better... Would you mind elaborating a bit more?
 
Old 04-25-2015, 03:54 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530
Quote:
Originally Posted by joe_2000 View Post
Would you mind elaborating a bit more?
Simply put if your environment is pristine there's no local customizations to distract or bite you. Sorry but there really isn't much more to elaborate than that.
 
1 members found this post helpful.
Old 04-25-2015, 10:39 AM   #6
joe_2000
Member
 
Registered: Jul 2012
Location: Aachen, Germany
Distribution: Void, Debian
Posts: 808

Rep: Reputation: 216Reputation: 216Reputation: 216
Quote:
Originally Posted by unSpawn View Post
Sorry but there really isn't much more to elaborate than that.
OK, thanks anyway
 
  


Reply

Tags
bugzilla 458839, ssh forcecommand bash -c, ssh_source_bashrc


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] my version of ssh doesn't support 'Match' and 'ForceCommand'? c0pe Red Hat 6 12-20-2012 05:36 AM
ssh-agent, ssh-add and ssh-keygen AND CVS raylpc Linux - General 2 11-19-2008 03:50 AM
LXer: ssh-xfer: Quickly grabbing files over an existing SSH connection LXer Syndicated Linux News 0 08-08-2008 04:11 PM
setting up an ssh soxy or local ssh tunnel from within an ssh soxy Mangenius Linux - Networking 0 03-05-2007 04:15 PM
Passwordless SSH with SSH commercial server and open ssh cereal83 Linux - General 7 04-18-2006 01:34 PM


All times are GMT -5. The time now is 09:12 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration