lshell, openssh and command=-problems
Brought to you by:
ghantoos
Menu
▾
▴
Hi,
i got a question regarding openssh, key-files and the "command="-instruction.
My authorized_keys-file contains the following:
command="svnserve -t -tunnel-user=username"
I want to login with a user, let's call him svn, to do key-related subversion-access. This works, if svn's shell is set to "/bin/bash". So i want to set the shell to /usr/bin/lshell to limit his possibilities of attacking.
But: Neither a checkout is possible, nor a login using ssh:
$ ssh svn@host
Enter passphrase for key '~/.ssh/id_rsa':
*** forbidden shell escape: "svnserve -t -tunnel-user=username"
This incident has been reported.
Connection to host closed.
$ svn co svn+ssh://host/var/vcs/Repo
Enter passphrase for key '~/.ssh/id_rsa':
*** forbidden char/command over SSH: "svnserve -t"
This incident has been reported.
Connection to host closed.
(ssh is an alias for "ssh -l svn" in .subversion/config)
So, when i open a valid ssh-session and run lshell from /bin/bash, i can call "svnserve -t -tunnel-user=username" without any problem.
My config-file:
# cat /etc/lshell.conf
# lshell.py configuration file
logpath : /var/log/lshell/
loglevel : 2
allowed :
#forbidden :
forbidden :
sudo_commands :
warning_counter : 2
aliases : {}
timer : 20
path :
home_path : '/var/vcs'
env_path : ':/usr/bin'
scp : 0
sftp : 0
overssh :
strict : 1
Is this a bug, or did i something wrong?
(sry for my bad english, my last conversation was a long time ago ;))
Hi fetzer,
This looks more like a bug to me. I'll look into it and keep you posted.
Thank you for reporting this issue.
Cheers,
Ignace M
PS: your English is way better than you give yourself credit for. ;)
I'm pretty concerned too, since i'm doing the exact same thing that Mr Fzrrl is doing.
I'm going to try the same settings that he was trying.
Ok, the setting to allow svn commit with lshell was to allow 'svnserve' overssh.
Thank's for the tip !