View previous topic :: View next topic |
Author |
Message |
c00l.wave Apprentice

Joined: 24 Aug 2003 Posts: 245
|
Posted: Sun Apr 07, 2013 12:47 pm Post subject: SSH still provides a shell although no-pty is set |
|
|
I'm trying to setup monitoring with Munin, largely following the guide on wiki.gentoo.org. Munin needs to setup SSH tunnels on demand so I wanted to restrict them as good as possible. Unfortunately, if I set ~munin-async/.ssh/authorized_keys as follows, I am still able to get a shell. Usually that should not happen since I set no-pty? (used that before and it always worked)
Code: | # cat /var/spool/munin-async/.ssh/authorized_keys
permitopen="localhost:4949",no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,from="10.2.0.16" ecdsa-sha2-nistp256 KEYHERE |
Code: | $ ssh 10.2.0.1 -l munin-async
PTY allocation request failed on channel 0
Last login: Sun Apr 7 14:30:01 CEST 2013 from monitoring on ssh
cd /
ls
bin
boot
dev
etc
home
lib
lib32
lib64
lost+found
media
mnt
opt
proc
root
run
sbin
sys
tmp
usr
var
Connection to 10.2.0.1 closed. |
Code: | # grep munin-async /etc/passwd
munin-async:x:104:104:added by portage for munin:/var/spool/munin-async:/bin/sh |
OpenSSH is at 5.9_p1-r4. _________________ nohup nice -n -20 cp /dev/urandom /dev/null & |
|
Back to top |
|
 |
Hu Moderator

Joined: 06 Mar 2007 Posts: 16889
|
Posted: Sun Apr 07, 2013 3:20 pm Post subject: |
|
|
Shells work without a pty, though they often work much better with one than without one. If you want to disallow running arbitrary programs, force a command when that key is used. |
|
Back to top |
|
 |
c00l.wave Apprentice

Joined: 24 Aug 2003 Posts: 245
|
Posted: Sun Apr 07, 2013 4:02 pm Post subject: |
|
|
Ouch... Thanks for pointing that out.
I'm pretty sure the OpenSSH client (or server) did not let me continue to a shell if it couldn't allocate a PTY when I tested it first a few years back or I did something else different back then.
BTW, it's hard to believe so many other people rely on no-pty alone but if you search for it there is an incredible amount of posts/blogs/articles about no-pty being sufficient. _________________ nohup nice -n -20 cp /dev/urandom /dev/null & |
|
Back to top |
|
 |
|