Attachment #2350 for bug #2103




	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
	oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
  oRemoteCommand, oPermitRemoteCommand,
	oIgnoredUnknownOption, oDeprecated, oUnsupported
} OpCodes;


	{ "tunneldevice", oTunnelDevice },
	{ "localcommand", oLocalCommand },
	{ "permitlocalcommand", oPermitLocalCommand },
	{ "permitremotecommand", oPermitRemoteCommand },
	{ "visualhostkey", oVisualHostKey },
	{ "useroaming", oUseRoaming },
#ifdef JPAKE

	{ "requesttty", oRequestTTY },
	{ "proxyusefdpass", oProxyUseFdpass },
	{ "ignoreunknown", oIgnoreUnknown },
	{ "remotecommand", oRemoteCommand },

	{ NULL, oBadOption }
};

		charptr = &options->local_command;
		goto parse_command;

	case oRemoteCommand:
		charptr = &options->remote_command;
		goto parse_command;

	case oPermitLocalCommand:
		intptr = &options->permit_local_command;
		goto parse_flag;

	case oPermitRemoteCommand:
		intptr = &options->permit_remote_command;
		goto parse_flag;

	case oVisualHostKey:
		intptr = &options->visual_host_key;
		goto parse_flag;

	options->tun_remote = -1;
	options->local_command = NULL;
	options->permit_local_command = -1;
	options->remote_command = NULL;
	options->permit_remote_command = -1;
	options->use_roaming = -1;
	options->visual_host_key = -1;
	options->zero_knowledge_password_authentication = -1;

		options->tun_remote = SSH_TUNID_ANY;
	if (options->permit_local_command == -1)
		options->permit_local_command = 0;
	if (options->permit_remote_command == -1)
		options->permit_remote_command = 0;
	if (options->use_roaming == -1)
		options->use_roaming = 1;
	if (options->visual_host_key == -1)

Lines 132-137 Link Here

(-)readconf.h (+2 lines)
132		132
133	char *local_command;	133	char *local_command;
134	int permit_local_command;	134	int permit_local_command;
		135	char *remote_command;
		136	int permit_remote_command;
135	int visual_host_key;	137	int visual_host_key;
136		138
137	int use_roaming;	139	int use_roaming;

Lines 460-465 Link Here

(-)ssh.1 (+2 lines)
460	.It NumberOfPasswordPrompts	460	.It NumberOfPasswordPrompts
461	.It PasswordAuthentication	461	.It PasswordAuthentication
462	.It PermitLocalCommand	462	.It PermitLocalCommand
		463	.It PermitRemoteCommand
463	.It PKCS11Provider	464	.It PKCS11Provider
464	.It Port	465	.It Port
465	.It PreferredAuthentications	466	.It PreferredAuthentications
Lines 468-473 Link Here
468	.It ProxyUseFdpass	469	.It ProxyUseFdpass
469	.It PubkeyAuthentication	470	.It PubkeyAuthentication
470	.It RekeyLimit	471	.It RekeyLimit
		472	.It RemoteCommand
471	.It RemoteForward	473	.It RemoteForward
472	.It RequestTTY	474	.It RequestTTY
473	.It RhostsRSAAuthentication	475	.It RhostsRSAAuthentication

Lines 730-737 Link Here

(-)ssh.c (-1 / +20 lines)
730	options.request_tty == REQUEST_TTY_FORCE)	730	options.request_tty == REQUEST_TTY_FORCE)
731	tty_flag = 1;	731	tty_flag = 1;
732		732
		733	if (options.remote_command != NULL &&
		734	!options.permit_remote_command)
		735	options.remote_command = NULL;
		736
733	/* Allocate a tty by default if no command specified. */	737	/* Allocate a tty by default if no command specified. */
734	if (buffer_len(&command) == 0)	738	if (buffer_len(&command) == 0 \|\| (options.remote_command != NULL &&
		739	!subsystem_flag))
735	tty_flag = options.request_tty != REQUEST_TTY_NO;	740	tty_flag = options.request_tty != REQUEST_TTY_NO;
736		741
737	/* Force no tty */	742	/* Force no tty */
Lines 779-784 Link Here
779	(char *)NULL);	784	(char *)NULL);
780	debug3("expanded LocalCommand: %s", options.local_command);	785	debug3("expanded LocalCommand: %s", options.local_command);
781	free(cp);	786	free(cp);
		787	}
		788
		789	if (options.remote_command != NULL && !subsystem_flag &&
		790	buffer_len(&command) == 0) {
		791	debug3("expanding RemoteCommand: %s", options.local_command);
		792	cp = options.remote_command;
		793	options.remote_command = percent_expand(cp,
		794	"h", host, "l", thishost, "n", host_arg, "r", options.user,
		795	"p", portstr, "u", pw->pw_name, "L", shorthost,
		796	(char *)NULL);
		797	buffer_append(&command, options.remote_command,
		798	strlen(options.remote_command));
		799	debug3("expanded RemoteCommand: %s", options.remote_command);
		800	free(cp);
782	}	801	}
783		802
784	/* force lowercase for hostkey matching */	803	/* force lowercase for hostkey matching */

Lines 43-48 Link Here

(-)ssh_config (+1 lines)
43	# Tunnel no	43	# Tunnel no
44	# TunnelDevice any:any	44	# TunnelDevice any:any
45	# PermitLocalCommand no	45	# PermitLocalCommand no
		46	# PermitRemoteCommand no
46	# VisualHostKey no	47	# VisualHostKey no
47	# ProxyCommand ssh -q -W %h:%p gateway.example.com	48	# ProxyCommand ssh -q -W %h:%p gateway.example.com
48	# RekeyLimit 1G 1h	49	# RekeyLimit 1G 1h

Lines 862-867 Link Here

(-)ssh_config.5 (+31 lines)
862	.Dq no .	862	.Dq no .
863	The default is	863	The default is
864	.Dq no .	864	.Dq no .
		865	.It Cm PermitRemoteCommand
		866	Allow remote command execution via the
		867	.Ic RemoteCommand
		868	The argument must be
		869	.Dq yes
		870	or
		871	.Dq no .
		872	The default is
		873	.Dq no .
865	.It Cm PKCS11Provider	874	.It Cm PKCS11Provider
866	Specifies which PKCS#11 provider to use.	875	Specifies which PKCS#11 provider to use.
867	The argument to this keyword is the PKCS#11 shared library	876	The argument to this keyword is the PKCS#11 shared library
Lines 980-985 Link Here
980	which means that rekeying is performed after the cipher's default amount	989	which means that rekeying is performed after the cipher's default amount
981	of data has been sent or received and no time based rekeying is done.	990	of data has been sent or received and no time based rekeying is done.
982	This option applies to protocol version 2 only.	991	This option applies to protocol version 2 only.
		992	.It Cm RemoteCommand
		993	Specifies the command that will be executed on the remote machine.
		994	The following escape character substitutions will be performed:
		995	.Ql %h
		996	(remote host name),
		997	.Ql %l
		998	(local host name),
		999	.Ql %n
		1000	(host name as provided on the command line),
		1001	.Ql %p
		1002	(remote port),
		1003	.Ql %r
		1004	(remote user name) or
		1005	.Ql %u
		1006	(local user name).
		1007	.Pp
		1008	This directive is ignored unless
		1009	.Cm PermitRemoteCommand
		1010	has been enabled. Specifing a command on the
		1011	.Xr ssh 1
		1012	command line will disable the
		1013	.Cm RemoteCommand
983	.It Cm RemoteForward	1014	.It Cm RemoteForward
984	Specifies that a TCP port on the remote machine be forwarded over	1015	Specifies that a TCP port on the remote machine be forwarded over
985	the secure channel to the specified host and port from the local machine.	1016	the secure channel to the specified host and port from the local machine.

Lines 63-69 Link Here

(-)regress/Makefile (-1 / +3 lines)
63	keys-command \	63	keys-command \
64	forward-control \	64	forward-control \
65	integrity \	65	integrity \
66	krl	66	krl \
		67	remotecommand \
		68	remote_host-expand
67		69
68	INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers	70	INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
69	#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp	71	#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp

Lines 31-37 Link Here

(-)regress/README.regress (-1 / +1 lines)
31	TEST_SSH_PORT: TCP port to be used for the listening tests.	31	TEST_SSH_PORT: TCP port to be used for the listening tests.
32	TEST_SSH_SSH_CONFOPTS: Configuration directives to be added to ssh_config	32	TEST_SSH_SSH_CONFOPTS: Configuration directives to be added to ssh_config
33	before running each test.	33	before running each test.
34	TEST_SSH_SSHD_CONFOTPS: Configuration directives to be added to sshd_config	34	TEST_SSH_SSHD_CONFOPTS: Configuration directives to be added to sshd_config
35	before running each test.	35	before running each test.
36		36
37		37




#	Placed in the Public Domain.

tid="remote expand %h and %n"

echo 'PermitRemoteCommand yes' >> $OBJ/ssh_proxy
echo "RemoteCommand echo \"%n %h\" > $OBJ/actual" >> $OBJ/ssh_proxy

cat >$OBJ/expect <<EOE
somehost 127.0.0.1
EOE

for p in 1 2; do
	verbose "test $tid: proto $p"
	${SSH} -F $OBJ/ssh_proxy -$p somehost
	diff $OBJ/expect $OBJ/actual || fail "$tid proto $p"
done





#	$OpenBSD: Exp $
#	Placed in the Public Domain.

tid="remotecommand"

echo "RemoteCommand touch $OBJ/remote_test" >> $OBJ/ssh_proxy

for p1 in disabled enabled; do
  for p in 1 2; do
    verbose "test $tid: proto $p remotecommand cmd override. $p1"
    ${SSH} -F $OBJ/ssh_proxy -$p somehost touch $OBJ/remote_command_tt
    if [ -f $OBJ/remote_test ] ; then
      fail "$tid proto $p cmd override failed"
    fi
    if [ ! -f $OBJ/remote_command_tt ] ; then
      fail "$tid proto $p cmd override no cmdline"
    fi
    [ -f $OBJ/remote_test ] && rm $OBJ/remote_test
    [ -f $OBJ/remote_command_tt ] && rm $OBJ/remote_command_tt
  done
  echo 'PermitRemoteCommand yes' >> $OBJ/ssh_proxy
done
  

for p in 1 2; do
	verbose "test $tid: proto $p remotecommand cmd override"
	${SSH} -F $OBJ/ssh_proxy -$p somehost
	if [ ! -f $OBJ/remote_test ] ; then
    fail "$tid proto $p"
  else
    rm $OBJ/remote_test
	fi
done

Return to bug 2103

Lines 138-143 Link Here

(-)readconf.c (+15 lines)
138	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,	138	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
139	oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,	139	oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
140	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,	140	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
		141	oRemoteCommand, oPermitRemoteCommand,
141	oIgnoredUnknownOption, oDeprecated, oUnsupported	142	oIgnoredUnknownOption, oDeprecated, oUnsupported
142	} OpCodes;	143	} OpCodes;
143		144
Lines 238-243 Link Here
238	{ "tunneldevice", oTunnelDevice },	239	{ "tunneldevice", oTunnelDevice },
239	{ "localcommand", oLocalCommand },	240	{ "localcommand", oLocalCommand },
240	{ "permitlocalcommand", oPermitLocalCommand },	241	{ "permitlocalcommand", oPermitLocalCommand },
		242	{ "permitremotecommand", oPermitRemoteCommand },
241	{ "visualhostkey", oVisualHostKey },	243	{ "visualhostkey", oVisualHostKey },
242	{ "useroaming", oUseRoaming },	244	{ "useroaming", oUseRoaming },
243	#ifdef JPAKE	245	#ifdef JPAKE
Lines 251-256 Link Here
251	{ "requesttty", oRequestTTY },	253	{ "requesttty", oRequestTTY },
252	{ "proxyusefdpass", oProxyUseFdpass },	254	{ "proxyusefdpass", oProxyUseFdpass },
253	{ "ignoreunknown", oIgnoreUnknown },	255	{ "ignoreunknown", oIgnoreUnknown },
		256	{ "remotecommand", oRemoteCommand },
254		257
255	{ NULL, oBadOption }	258	{ NULL, oBadOption }
256	};	259	};
Lines 1020-1029 Link Here
1020	charptr = &options->local_command;	1023	charptr = &options->local_command;
1021	goto parse_command;	1024	goto parse_command;
1022		1025
		1026	case oRemoteCommand:
		1027	charptr = &options->remote_command;
		1028	goto parse_command;
		1029
1023	case oPermitLocalCommand:	1030	case oPermitLocalCommand:
1024	intptr = &options->permit_local_command;	1031	intptr = &options->permit_local_command;
1025	goto parse_flag;	1032	goto parse_flag;
1026		1033
		1034	case oPermitRemoteCommand:
		1035	intptr = &options->permit_remote_command;
		1036	goto parse_flag;
		1037
1027	case oVisualHostKey:	1038	case oVisualHostKey:
1028	intptr = &options->visual_host_key;	1039	intptr = &options->visual_host_key;
1029	goto parse_flag;	1040	goto parse_flag;
Lines 1232-1237 Link Here
1232	options->tun_remote = -1;	1243	options->tun_remote = -1;
1233	options->local_command = NULL;	1244	options->local_command = NULL;
1234	options->permit_local_command = -1;	1245	options->permit_local_command = -1;
		1246	options->remote_command = NULL;
		1247	options->permit_remote_command = -1;
1235	options->use_roaming = -1;	1248	options->use_roaming = -1;
1236	options->visual_host_key = -1;	1249	options->visual_host_key = -1;
1237	options->zero_knowledge_password_authentication = -1;	1250	options->zero_knowledge_password_authentication = -1;
Lines 1379-1384 Link Here
1379	options->tun_remote = SSH_TUNID_ANY;	1392	options->tun_remote = SSH_TUNID_ANY;
1380	if (options->permit_local_command == -1)	1393	if (options->permit_local_command == -1)
1381	options->permit_local_command = 0;	1394	options->permit_local_command = 0;
		1395	if (options->permit_remote_command == -1)
		1396	options->permit_remote_command = 0;
1382	if (options->use_roaming == -1)	1397	if (options->use_roaming == -1)
1383	options->use_roaming = 1;	1398	options->use_roaming = 1;
1384	if (options->visual_host_key == -1)	1399	if (options->visual_host_key == -1)

Added Link Here

(-) (+17 lines)
1	# Placed in the Public Domain.
2
3	tid="remote expand %h and %n"
4
5	echo 'PermitRemoteCommand yes' >> $OBJ/ssh_proxy
6	echo "RemoteCommand echo \"%n %h\" > $OBJ/actual" >> $OBJ/ssh_proxy
7
8	cat >$OBJ/expect <<EOE
9	somehost 127.0.0.1
10	EOE
11
12	for p in 1 2; do
13	verbose "test $tid: proto $p"
14	${SSH} -F $OBJ/ssh_proxy -$p somehost
15	diff $OBJ/expect $OBJ/actual \|\| fail "$tid proto $p"
16	done
17

Added Link Here

(-) (+33 lines)
1	# $OpenBSD: Exp $
2	# Placed in the Public Domain.
3
4	tid="remotecommand"
5
6	echo "RemoteCommand touch $OBJ/remote_test" >> $OBJ/ssh_proxy
7
8	for p1 in disabled enabled; do
9	for p in 1 2; do
10	verbose "test $tid: proto $p remotecommand cmd override. $p1"
11	${SSH} -F $OBJ/ssh_proxy -$p somehost touch $OBJ/remote_command_tt
12	if [ -f $OBJ/remote_test ] ; then
13	fail "$tid proto $p cmd override failed"
14	fi
15	if [ ! -f $OBJ/remote_command_tt ] ; then
16	fail "$tid proto $p cmd override no cmdline"
17	fi
18	[ -f $OBJ/remote_test ] && rm $OBJ/remote_test
19	[ -f $OBJ/remote_command_tt ] && rm $OBJ/remote_command_tt
20	done
21	echo 'PermitRemoteCommand yes' >> $OBJ/ssh_proxy
22	done
23
24
25	for p in 1 2; do
26	verbose "test $tid: proto $p remotecommand cmd override"
27	${SSH} -F $OBJ/ssh_proxy -$p somehost
28	if [ ! -f $OBJ/remote_test ] ; then
29	fail "$tid proto $p"
30	else
31	rm $OBJ/remote_test
32	fi
33	done