Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
SSH still provides a shell although no-pty is set
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
c00l.wave
Apprentice
Apprentice


Joined: 24 Aug 2003
Posts: 245

PostPosted: Sun Apr 07, 2013 12:47 pm    Post subject: SSH still provides a shell although no-pty is set Reply with quote

I'm trying to setup monitoring with Munin, largely following the guide on wiki.gentoo.org. Munin needs to setup SSH tunnels on demand so I wanted to restrict them as good as possible. Unfortunately, if I set ~munin-async/.ssh/authorized_keys as follows, I am still able to get a shell. Usually that should not happen since I set no-pty? (used that before and it always worked)

Code:
# cat /var/spool/munin-async/.ssh/authorized_keys
permitopen="localhost:4949",no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,from="10.2.0.16" ecdsa-sha2-nistp256 KEYHERE


Code:
$ ssh 10.2.0.1 -l munin-async
PTY allocation request failed on channel 0
Last login: Sun Apr  7 14:30:01 CEST 2013 from monitoring on ssh
cd /
ls
bin
boot
dev
etc
home
lib
lib32
lib64
lost+found
media
mnt
opt
proc
root
run
sbin
sys
tmp
usr
var
Connection to 10.2.0.1 closed.


Code:
# grep munin-async /etc/passwd
munin-async:x:104:104:added by portage for munin:/var/spool/munin-async:/bin/sh


OpenSSH is at 5.9_p1-r4.
_________________
nohup nice -n -20 cp /dev/urandom /dev/null &
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13504

PostPosted: Sun Apr 07, 2013 3:20 pm    Post subject: Reply with quote

Shells work without a pty, though they often work much better with one than without one. If you want to disallow running arbitrary programs, force a command when that key is used.
Back to top
View user's profile Send private message
c00l.wave
Apprentice
Apprentice


Joined: 24 Aug 2003
Posts: 245

PostPosted: Sun Apr 07, 2013 4:02 pm    Post subject: Reply with quote

Ouch... Thanks for pointing that out. :oops:

I'm pretty sure the OpenSSH client (or server) did not let me continue to a shell if it couldn't allocate a PTY when I tested it first a few years back or I did something else different back then.

BTW, it's hard to believe so many other people rely on no-pty alone but if you search for it there is an incredible amount of posts/blogs/articles about no-pty being sufficient.
_________________
nohup nice -n -20 cp /dev/urandom /dev/null &
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum