Created attachment 1648 [details] Temporarily fix (changed code in session.c) for this issue Hello: I have configured sshd_config as the following: ================================================= Subsystem sftp /opt/ssh/libexec/sftp-server #Subsystem sftp internal-sftp Match User sftpch ChrootDirectory /chrootdir ForceCommand internal-sftp ================================================== Now if somebody tries to do a ssh (not a sftp) with account sftpch, the connection hangs. And I have investigated this issue and generated a temporarily solution for it. Let's have a travel to the ForceCommand section to execute internal-sftp in do_exec() function, the source code just use IS_INTERNAL_SFTP(command) to check whether sshd want to use ForceCommand to execute internal-sftp or not and do not judge which requirement from client, that means when our customers use ssh (SUBSYSTEM_NONE) to connect to sshd but they have configured to use ForceCommand to execute internal-sftp, the logic error will happened (None Subsystem client connected to the internal-sftp Subsystem server), it looks like this is the root cause about this hang. Based on the root cause, I have generated a temporarily fix for this issue. Just use IS_INTERNAL_SFTP(command) to check whether to set the session->is_subsystem to SUBSYSTEM_INT_SFTP is not sufficient, we also have use if (s->is_subsystem != SUBSYSTEM_NONE) to check if the requirement from the client belong to subsystem or not meanwhile. I will list the detial detail of the fix below and please help us to have a review: ======================================================================= In the session.c source file ======================================================================= 845c845 + if (s->is_subsystem && IS_INTERNAL_SFTP(command)) --- - if (IS_INTERNAL_SFTP(command)) 853c853 + if (s->is_subsystem && IS_INTERNAL_SFTP(command)) --- - if (IS_INTERNAL_SFTP(command)) ======================================================================= With this temporarily fix, if somebody tries to do a ssh (not a sftp) with account sftpch and sshd_config is set to above , the connection will prompt "sh: internal-sftp: not found Connection to <remote nodename> closed." and then drop conections properly instead of hang. And for sftp and ssh with other account, it works correctly. Are there anybody could help me to trace this issue and review my temporarily fix since I am not an expert about Open-SSH code and I am not confirm this fix dose not make other side effect for Open-SSH. If you accept my fix, could you help me to port them into your next SSH version, and if you think my fix is not considerable, could you help me to figure out a new one? Best Regards Brent zpbrent@yahoo.com.cn
*** Bug 1605 has been marked as a duplicate of this bug. ***
Created attachment 1704 [details] abort non-subsystem sessions to forced internal sftp-server I think your proposed fix introduces a security vulnerability - a user could upload a file "internal-sftp" and sshd would execute it, since the SUBSYSTEM_INT_SFTP is no longer set when processing the session.
patch applied - this will be in openssh-5.4
With the release of 5.4p1, this bug is now considered closed.