[erlang-bugs] standard ssh to erlang sshd gives default shell, not the one specified in ssh:daemon/3

andrei zavada <>
Tue Aug 3 16:58:22 CEST 2010

Hi Niclas & all,

I gave it a try, and have a few things to note.

1. The exec option is not documented; it would be nice if it was.

2. Execution of command passed on ssh commandline is indeed suppressed if
ssh:daemon is started with an {exec, {M,F,A}} option.  Plugging an empty
function as "F" could be a simple solution for the folks recently (rightly)
raising this as a security issue.

3. However, {exec, {M,F,A}} doesn't seem to work.  Following your example, I
couldn't get my fun called.  Looking into the sources in ssh_cli.erl, it
appears in this branch of handle_ssh_msg:

handle_ssh_msg({ssh_cm, ConnectionManager, 
		{exec, ChannelId, WantReply, Cmd}}, #state{exec=undefined} = State) -> {Reply, Status} =
		 exec(Cmd), write_chars(ConnectionManager, 
		ChannelId, io_lib:format("~p\n", [Reply])),
    ssh_connection:reply_request(ConnectionManager, WantReply, 
				 success, ChannelId),
    ssh_connection:exit_status(ConnectionManager, ChannelId, Status),
    ssh_connection:send_eof(ConnectionManager, ChannelId),
    {stop, ChannelId, State#state{channel = ChannelId, cm = ConnectionManager}};

handle_ssh_msg({ssh_cm, ConnectionManager,
		{exec, ChannelId, WantReply, Cmd}}, State) ->
    NewState = start_shell(ConnectionManager, Cmd, State),
    ssh_connection:reply_request(ConnectionManager, WantReply,
				 success, ChannelId),
    {ok, NewState#state{channel = ChannelId,
			cm = ConnectionManager}};

the second one, which is supposed to take effect when the user has supplied
an {exec, {M, F, A}} option, seems to never be reachable.

3. Down in start_shell and below, there is a call starting a group, similarly
to the way this is done for the regular, interactive shell.  IMHO, if all I
need is connect via ssh, exec my command and return, a simple function call
will suffice.

4. In the context of the project I am fitting ssh into, I need to know who is
the user wanting to exec a command via ssh <host> <command>; hence, the
solution you pointed out with {exec, {M,F,A}}, isn't suitable.  Even before, I
have prepared a patch (attached) for otp-13B04 to do exactly this.  This
patch will, likely with some fuzz, apply to otp-14A as well.

With my patch, you would call ssh:daemon/3 with something like this in the
Options parameter:

  Exec4User = fun(User, Cmd) -> do_something(User, Cmd), "Done" end,
  ssh:daemon(Port, Address, {{exec4user, Exec4User} | OtherOptions}),

5. The solution I am proposing is of a "works-for-me" kind; someone has to
look into why the {exec, {M,F,A}} fails.  In other words, there is little
sense for both exec and exec4user to coexist: let upstream decide.

Andrei Zavada

On Mon, 2 Aug 2010 14:22:09 +0200 (CEST)
Niclas Eklund <> wrote:

> Hello!
> Try something like:
>    Exec = {Module, Function, ArgList},
>    ssh:daemon({0,0,0,0}, <PORT>, [{exec, Exec}|Options]).
> Best regards,
> Niclas @ Erlang/OTP
> On Mon, 26 Jul 2010, andrei zavada wrote:
> > Hi,
> >
> > Consider the case of starting ssh:daemon/3 with bespoke shell supplied as
> > {shell, {Module, Function, Args}} in the proplist as its third parameter.
> >
> > Everything works as expected if I just do (using openssh-5.5_p1, the
> > current version in Gentoo per this writing)
> >
> > $ ssh -p<port> localhost
> >
> > My shell is now invoked and is happily serving commands.  Once I try the
> > same with a command-line parameter, i.e.,
> >
> > $ ssh -p<port> localhost fafa
> >
> > (expecting "fafa" to be passed to my shell function), the server hands
> > "fafa" over to the Erlang standard shell, which prints:
> >
> > {error,{1,erl_parse,["syntax error before: ",[]]}}
> >
> > And, logically, appending a dot to "fafa" makes it a valid Erlang
> > expression, which gets me a nice
> >
> > fafa
> >
> > The expected behaviour is that sshd accept the command and feed it to the
> > custom shell the user specified in the Options proplist.
> >
> > This misbehaviour is verified in otp-12B-5, otp-13B04, as well as in
> > otp-14A. All systems were tested on a Gentoo box (~amd64 arch), built
> > from unpatched sources from erlang.org.
> >
> > Is this a bug, as I suppose it is?
> >
> > Regards
> > Andrei Zavada
> >
> > ________________________________________________________________
> > erlang-bugs (at) erlang.org mailing list.
> > See http://www.erlang.org/faq.html
> > To unsubscribe; mailto:
> >

-------------- next part --------------
A non-text attachment was scrubbed...
Name: exec4user.patch
Type: text/x-patch
Size: 5175 bytes
Desc: not available
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20100803/e005216c/attachment.bin>

More information about the erlang-bugs mailing list