When a remote ssh client requests to run a command on the server, the OpenSSH server launches the local user's shell with the "-c" option to run the command. It runs the equivalent of this:
$SHELL -c 'the requested command'
Eg, if the remote user ran:
ssh user@somehost 'rm -rf /'
and "user@somehost" had /bin/bash
as his shell, then the server would run the equivalent of:
/bin/bash -c 'rm -rf /'
SFTP is a little more complicated, but you end up in the same place. The remote client requests the server to run the "sftp" subsystem. In the server's sshd_config
file, you probably have a line like this:
Subsystem sftp /path/to/sftp-server
That line says "When a client requests the 'sftp' subsystem, run /path/to/sftp-server" sftp-server
is a program included with OpenSSH which implements the server part of the SFTP protocol. So when an ssh client connects and requests the sftp subsystem, the server ends up running:
$SHELL -c /path/to/sftp-server
(There is a special case called "internal-sftp" which I won't go into here.)
Now, you've written a script named /usr/bin/redtest
and set it to be the user's shell. So when a remote user tries to run sftp, the server will end up running:
/usr/bin/redtest -c /path/to/sftp-server
Your redtest
script ignores its command line and just starts a plain ssh session to the target server. It never runs the sftp-server program on the target server.
To make this work, you need to make redtest start sftp-server
on the target host when redtest is run in this fashion. If you're not too picky about what the user runs on the target host, then something like this ought to work:
#!/bin/bash
if [ "$1" = "-c" ]
then
/usr/bin/ssh redtest -F ~/.ssh/config "$2"
else
/usr/bin/ssh redtest -t -F ~/.ssh/config
fi
This will pass through any command requested by the client, not just sftp. This shouldn't be a problem, since users apparently have root command-line access to the target servers anyway.
You may run into a problem here if the jump host and the target host don't have the sftp-server
program in the same place. The ssh server on the jump host will try to run sftp-server using the path from the jump host's config, which may not be correct for the target host. You'll have to make sure sftp-server
can be invoked on the target host, using the path in the jump host's sshd_config.
If you want to make the redtest
script more sophisticated, you could arrange for it to run something like this when the remote user tries to run sftp:
/usr/bin/ssh redtest -F ~/.ssh/config -s sftp
The -s
and sftp
arguments specifically request to run the sftp subsystem on the target host.
http://superuser.com/questions/96489/ssh-tunnel-via-multiple-hops, does the answer suggesting a proxycommand help you here? – Paul – 2015-06-16T20:51:46.430
Appreciate the reply. My first attempt was with tunneling and that worked pretty well when I ran it command line. Since the tunnel needs to be user specific, I don't think I can put it into the main ssh config. Hence the SSH -> SSH on login -> End system. The second SSH is breaking the tunnel. This may just be not possible. – sashman13 – 2015-06-16T21:42:12.593