OpenSSH root forced command?

From: Joseph Gosselin (gnostic@rcn.com)
Date: 03/28/02 

From: Joseph Gosselin <gnostic@rcn.com>
Date: 28 Mar 2002 05:56:03 GMT

Hello, I am experiencing some relatively difficult issues with OpenSSH
on two Redhat 7.1 boxen. What I would like to do, is set up a system
whereby we can tell our clients to just create a file in
.ssh/authorized_keys for root, which will contain the command="..."
syntax option followed by a key for our root user, so that we can run
backup operations without a password, and without having to ask the
client to change the 'sshd' config file and HUP the daemon. According to
the manpage (or at least how I read it), you can run root commands even
with PermitRootLogin set to 'no' in the 'sshd_config' file, so long as
you specify the specifc command to run in the key syntax in root's
.ssh/authorized_keys file. Unfortunately in my experience this has not
been the case. On multiple machines across many architectures (though I
am only currently concerned with Linux), this system will simply not
work with PermitRootLogin set to "no", although it works fine with that
parameter set to "yes" (though it kind of defeats the purpose that way).
I've searched for hours on Google for someone with this info, but have
not found anything - I apologize if I'm being a nuisance.

Oddly enough, the error which stops me from running this forced command
appears to occur on the client side, instead of the server side, as per
the following snippet:

        debug1: Remote: Forced command: /bin/date
        debug1: Received RSA challenge from server.
        debug1: Sending response to host key RSA challenge.
        debug1: Remote: RSA authentication accepted.
        debug1: RSA authentication refused.

I read this as saying that the Remote machine (the server) has accepted
my authentication, but that the client is reading this as a denial for
some reason. I have added to the end of this post the full
triple-verbosity output of my ssh command to the server. I sincerely
thank you for your aid.

(ps: I've tried this with SSH version 2 as well - the problem remains
exactly the same)

# ssh -v -v -v -1 root@server /bin/date
OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 0 geteuid 0 anon 1
debug1: Connecting to eagle.bu.edu [128.197.20.26] port 22.
debug1: temporarily_use_uid: 0/0 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 0/0 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: identity file /root/.ssh/identity type 0
debug1: Remote protocol version 1.99, remote software version
OpenSSH_2.9p2
debug1: match: OpenSSH_2.9p2 pat OpenSSH*
debug1: Local version string SSH-1.5-OpenSSH_3.1p1
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts2
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts2
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts2
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts2
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'eagle.bu.edu' is known and matches the RSA1 host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: cipher_init: set keylen (16 -> 32)
debug1: cipher_init: set keylen (16 -> 32)
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying RSA authentication with key '/root/.ssh/identity'
debug1: Remote: Forced command: /bin/date
debug1: Received RSA challenge from server.
debug1: Sending response to host key RSA challenge.
debug1: Remote: RSA authentication accepted.
debug1: RSA authentication refused.
debug1: Doing challenge response authentication.
debug1: No challenge.
debug1: Doing password authentication.

Relevant Pages

  • Re: Trouble with OpenSSH 3.4p1 - Cant connect with an RSA key pair
    ... >> I have a computer functioning as a server using RedHat 8.0 with OpenSSH ... I am experiencing a similar problem using passkey authentication with the ... < debug2: bits set: 1604/3191 ... < debug1: Server accepts key: pkalg ssh-rsa blen 149 ...
    (comp.security.ssh)
  • Re: [SLE] Problems with sshd and pub keys
    ... What i get related to pubkey is this: ... 27864: debug1: authentications that can continue: publickey,password ... server. ... authentication can set up via local login passwords, ...
    (SuSE)
  • OpenSSH 3.51p1 X11 forwarding problem a new time
    ... Running OpenSSH 3.51p1 server and client on solaris 8. ... I have no account on the server but I am authenticate by the LDAP ... X11 connection rejected because of wrong authentication. ... debug1: Rhosts Authentication disabled, ...
    (comp.security.ssh)
  • Re: SSH login with other users keys
    ... Trying RSA authentication with key ... debug1: Remote: Your host 'hostname.com' is not ... permitted to use this key for login. ... should the server really report this detail to the client? ...
    (comp.security.ssh)
  • Re: SSH from windows to linux using public key authentication
    ... Linux Linux wrote: ... public key authentication. ... I have copied exact same public key to my Prolinux and it's not working. ... debug1: Next authentication method: publickey ...
    (RedHat)