Commit 09405c22 authored by Kirill Smelkov's avatar Kirill Smelkov Committed by Nicolas Wavrant

slaprunner/sshd: Fix quoting in ForceCommand

2a733418 (slaprunner: replaces dropbear by openssh) switched slaprunner
sshd from dropbear to openssh (thanks for it once again) and used
ForceCommand to imitate login shell to be partitions `${bash:location}/bin/bash -l`.

For case when original ssh command is explicitly provided
("$SSH_ORIGINAL_COMMAND" is not empty) the code there tries to just
execute what was provided by caller.

However the reexecution is not completely correct as for cases when
origin command contains some quoting, 1 level of quotes is removed.

The case when I hit this in practice is git access to repositories over
ssh. When git wants to e.g. clone a repository it runs `git-upload-pack
quoted-path-to-repo.git` and fails this way:

```
$ GIT_TRACE=1 git clone ssh://host1/~/B.git
19:28:23.558858 git.c:350               trace: built-in: git 'clone' 'ssh://host1/~/B.git'
Cloning into 'B'...
19:28:23.572994 run-command.c:336       trace: run_command: 'ssh' 'host1' 'git-upload-pack '\''~/B.git'\'''
fatal: ''~/B.git'' does not appear to be a git repository
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
```

Quoting SSH_ORIGINAL_COMMAND and evaluating it completely via eval fixes this.

/cc @Nicolas, @alain.takoudjou
parent 09f8b080
...@@ -60,7 +60,7 @@ mode = 0644 ...@@ -60,7 +60,7 @@ mode = 0644
recipe = slapos.recipe.template recipe = slapos.recipe.template
url = ${:_profile_base_location_}/instance-runner.cfg url = ${:_profile_base_location_}/instance-runner.cfg
output = ${buildout:directory}/template-runner.cfg.in output = ${buildout:directory}/template-runner.cfg.in
md5sum = 88563f5f1893e8a084de3f686ec0d27d md5sum = 8f7f649d1de6149f028d1442e7dfa593
mode = 0644 mode = 0644
[template-runner-import-script] [template-runner-import-script]
......
...@@ -222,7 +222,7 @@ template = inline: ...@@ -222,7 +222,7 @@ template = inline:
PasswordAuthentication no PasswordAuthentication no
PubkeyAuthentication yes PubkeyAuthentication yes
AuthorizedKeysFile $${buildout:directory}/.ssh/authorized_keys AuthorizedKeysFile $${buildout:directory}/.ssh/authorized_keys
ForceCommand if [ -z "$SSH_ORIGINAL_COMMAND" ]; then ${bash:location}/bin/bash -l; else $SSH_ORIGINAL_COMMAND; fi ForceCommand if [ -z "$SSH_ORIGINAL_COMMAND" ]; then ${bash:location}/bin/bash -l; else eval "$SSH_ORIGINAL_COMMAND"; fi
[runner-sshd-raw-server] [runner-sshd-raw-server]
recipe = slapos.cookbook:wrapper recipe = slapos.cookbook:wrapper
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment