No-user-rc in authorized_keys prevent logging in with SSH

WildPenquin · February 14, 2023, 10:58am

Hi,

I'm creating an account for running a single command when connecting with SSH into the router (Archer C7 v2 running OpenWRT 22.03.3, r20028-43d71ad93e). I'm using an authorized_keys file with a line disabling features I do not need for this purpose for security reasons:

command="mycommand",no-X11-forwarding,no-user-rc,no-port-forwarding,no-agent-forwarding ssh-ed25519  ....

I noticed that with no-user-rc my key is not accepted. Even if I just use:

no-user-rc ssh-ed25519  ....

the log in fails with Permission denied (publickey). Removing no-user-rc logging in works.

~/.ssh/rc does not exists, though as far as I understand this should not be a factor. I know, makes no sense to disable it if the file does not exists, but in principle it could be an additional attack vector.

Any idea why this is? Is this a bug in SSH/dropbear, or a feature? Have I misunderstood something in the documentation?

Cheers!

frollic · February 14, 2023, 10:59am

Dropbear Key Location perhaps ?

jow · February 14, 2023, 11:09am

I would say that dropbear simply rejects pubkey entries with options it does not recognize, for security reasons. It's the sensitive thing to do. If you don't recognize an option you can't enforce it, so it's best to refuse authentication completely instead of inadvertently accepting something the administrator presumes to be denied.

And here's the proof in code of my assumption:

github.com

mkj/dropbear/blob/master/svr-authpubkeyoptions.c#L307-L324


      
          		/*
          		 * Skip the comma, and move to the next option
          		 * (or break out if there are no more).
          		 */
          		if (options_buf->pos < options_buf->len 
          				&& buf_getbyte(options_buf) != ',') {
          			goto bad_option;
          		}
          		/* Process the next option. */
          	}
          	/* parsed all options with no problem */
          	ret = DROPBEAR_SUCCESS;
          	goto end;
          
          
bad_option:
          	ret = DROPBEAR_FAILURE;
          	svr_pubkey_options_cleanup();
          	dropbear_log(LOG_WARNING, "Bad public key options at %s:%d", filename, line_num);

There's no match_option() clause for "no-user-rc"

WildPenquin · February 14, 2023, 11:38am

Ah, that explains it!

I sometimes forget I'm actually using dropbear instead of sshd from openssh - but I'm using the documentation of the latter!

Thanks!

system · February 24, 2023, 11:39am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.