Solaris 8 ssh issue - $SSH_ORIGINAL_COMMAND undefined variables

UNIX Solaris
1

I face a weird question I don't know how to deal with.
I tried to limit the permission of root user to remote login using ssh.
So I did the following for a client server,

  1. edit /usr/local/etc/sshd_config and modify as below
PermitRootLogin forced-commands-only
  1. using pubkey authentication and add the following command to authorized_keys
command="source /root/testssh" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAA...... root@hostserver
  1. using a wrapper script "testssh" to parse $SSH_ORIGINAL_COMMAND and then do its own work. the test script is as below,
#!/bin/bash

case $SSH_ORIGINAL_COMMAND in
  "shutdown")
        Platform=`uname`
        if [ $Platform == "Linux" ]; then
          echo "This is Linux"
        elif [ $Platform == "SunOS" ]; then
          echo "This is SunOS"
        fi
        ;;
  "test")
        echo "Test connection. This is `hostname`."
        ;;
  *)
        echo "Permission Denied. Terminated."
        exit 1
        ;;
esac

The Solaris host ssh version is OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, and
there are two clients to test.

  • client 1: Solaris system using ssh version OpenSSH_5.9p1
  • client 2: Linux red hat 5.7 using ssh version OpenSSH_4.3p2

When I tested it using ssh root@client1 or ssh root@client1 "arguments" from the host connecting to clients, it worked well when connecting to the client 2, which is Linux OS. But when connecting to client 1, which is Solaris system, it kept showing the following message,

SSH_ORIGINAL_COMMAND: Undefined variable

I just can't figure it out. As I know, ssh will normally set this environment variables.

Does someone have any idea?? I've stuck on this for a while. :frowning:

2

Can you take out the restriction again and run a simple remote command to list out the variables set into a file? Something like this might do:-

ssh root@client1 "env > /tmp/root.ssh.env ; set > /tmp/root.ssh.set"

Then sign in and have a look in the two files created to see if anything leaps out. I'm afraid that I don't have a Solaris server available to test this.

I hope that this helps,
Robin

3

Thanks for your suggestion. I wrote out two files as you said, but I can't see the key points. Would you give me some hints? Thanks.

root.ssh.env

USER=root
LOGNAME=root
HOME=/
PATH=.:/:/usr/openwin/bin/xview:/usr/openwin/bin:/sbin:/usr/sbin:/usr/ccs/bin:/usr/bin:/usr/ucb:/
bin:/usr/local:/usr/drac:/usr/local/bin:/usr/local/sbin
MAIL=/var/mail/root
SHELL=/bin/tcsh
TZ=Asia/Taipei
SSH_CLIENT=172.26.80.85 37543 22
SSH_CONNECTION=172.26.80.85 37543 172.26.80.82 22
HOSTTYPE=sun4
VENDOR=sun
OSTYPE=solaris
MACHTYPE=sparc
SHLVL=1
PWD=/
GROUP=other
HOST=client1
LD_LIBRARY_PATH=/lib:/usr/lib:/usr/local/lib
MANPATH=/usr/local/man:/usr/man:/usr/openwin/man:/home7/SUNWspro/man

root.ssh.set

addsuffix       
argv    ()
command env > /tmp/root.ssh.env; set > /tmp/root.ssh.set
cwd     /
dirstack        /
echo_style      bsd
gid     1
group   other
history 80
home    /
ignoreeof       
lpath   (/usr/openwin/bin/xview /usr/openwin/bin)
mychoice        openwin
noclobber       
owd     
path    (. / /usr/openwin/bin/xview /usr/openwin/bin /sbin /usr/sbin /usr/ccs/bin /usr/bin /usr/u
cb /bin /usr/local /usr/drac /usr/local/bin /usr/local/sbin)
prompt  client1.root{~ }# 
shell   /bin/tcsh
shlvl   1
status  0
tcsh    6.10.00
tty     
uid     0
user    root
version tcsh 6.10.00 (Astron) 2000-11-19 (sparc-sun-solaris) options 8b,nls,dl,al,rh,color
4

From the sshd man page rg. the authorized_keys file format:

so your first test command may not supply that variable.
I'm a bit insecure reg. your use of "host" and "client" which I think should be reversed...?

5

Your default shell on the Solaris server is tcsh, which might be causing the problem. Perhaps try this instead:-

ssh root@client1 "echo set | bash > /tmp/root.ssh.bash.set"

I must agree with RudiC too, a client connects to a server, not the other way around.

Robin

1 Like
6

Oops, I might a little bit messed up with "host" and "client". Actually, I want to do a remote shutdown test from my "host" to shut down "all clients", and that's why I messed it up. I'll use your words below.

As you said, my first test command may not supply that variable. Do you mean client1 may not support the variable SSH_ORIGINAL_COMMAND?
Is this because of the ssh version too old? Is there any workaround?

Thanks.

7

man ssh :

That "command" is supplied in the SSH_ORIGINAL_COMMAND variable. Your ssh root@client1 doesn't supply one, so the variable will be empty/undefined. Supply one!

1 Like
8

Thank you. This is root.ssh.bash.set

BASH=/usr/bin/bash
BASH_VERSINFO=([0]="2" [1]="03" [2]="0" [3]="1" [4]="release" [5]="sparc-sun-solaris")
BASH_VERSION='2.03.0(1)-release'
DIRSTACK=()
EUID=0
GROUP=other
GROUPS=()
HOME=/
HOST=client1
HOSTNAME=client1
HOSTTYPE=sparc
IFS='
'
LD_LIBRARY_PATH=/lib:/usr/lib:/usr/local/lib
LOGNAME=root
MACHTYPE=sparc-sun-solaris
MAIL=/var/mail/root
MANPATH=/usr/local/man:/usr/man:/usr/openwin/man:/home7/SUNWspro/man
OPTERR=1
OPTIND=1
OSTYPE=solaris
PATH=.:/:/usr/openwin/bin/xview:/usr/openwin/bin:/sbin:/usr/sbin:/usr/ccs/bin:/usr/bin:/usr/ucb:/
bin:/usr/local:/usr/drac:/usr/local/bin:/usr/local/sbin
PPID=15550
PS4='+ '
PWD=/
SHELL=/bin/tcsh
SHELLOPTS=braceexpand:hashall:interactive-comments
SHLVL=2
SSH_CLIENT='172.26.80.85 38186 22'
SSH_CONNECTION='172.26.80.85 38186 172.26.80.82 22'
TERM=dumb
TZ=Asia/Taipei
UID=0
USER=root
VENDOR=sun
_=bash

---------- Post updated at 05:36 PM ---------- Previous update was at 05:17 PM ----------

Thank you so much to remind me this!
After I changed default login shell of client1 root to bash, everything worked fine!

Also thanks to rbatte1 for giving me suggestions.:slight_smile:

It seems like I have to prepare two shell scripts for bash and tcsh if I don't want to change default root shell.