Ssh – Forcing command on ssh’s authorized_keys merges STDOUT and STDERR

redirectionsshssh-keysstderrstdout

I've been working to have a script in a centralized server to do some things and output a .tar.gz file (see redirect temporarily STDOUT to another file descriptor, but still to screen). I also have exchanged ssh keys, so now from a client machine I can execute the script in my main server and output the result to a .tar.gz file in the client while seeing all the other output (STDERR) of the script:

me@client:~$ ssh auto@remoteserver /usr/local/bin/myscript.sh > content.tar.gz
// shows the output of the STDERR here...

me@client:~$ tar ztf content.tar.gz
content/file.txt
content/foobar.txt
...

But if I force the execution of this command putting the command option in the ~/.ssh/authorized_keys:

#/home/auto/.ssh/authorized_keys file
command="/usr/local/bin/myscript.sh",from="client" ssh-rsa 0UYmshd5FSDFf2fd...

and execute the following, it does not work:

me@client:~$ ssh auto@remoteserver > content.tar.gz
// shows **NOTHING**

me@client:~$ tar ztf content.tar.gz
gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now

if I look into the file, it contains both the STDERR and the STDOUT. Any idea why it is getting mixed? And more importantly, any idea on how to avoid this?

ps: I should mention that myscript.sh is a wrapper for the main script, that basically calls the main script with a set of fixed params:

#!/bin/sh
# myscript.sh: wrapper for mainscript.sh to use by the user auto with ssh-keys
/usr/local/bin/mainscript.sh foo bar

Best Answer

The first way you invoke the command doesn't create a pty, while the second may or may not. Try telling sshd not to create a pty. In your authorized_keys file:
command="/usr/local/bin/myscript.sh",from="client",no-pty ssh-rsa...

If you want to ssh from the command line when the no-pty option is set in your authorized_keys files you must redirect the STDIN to read from /dev/null or you would get an error saying PTY allocation request failed on channel 0:

$ ssh auto@remoteserver < /dev/null > content.tar.gz

If instead you do the ssh command without a controlling terminal, there's not STDIN available and you can omit the < /dev/null part. So in cron you might do the following without problem:

0 4 * * * ssh auto@remoteserver > content.tar.gz

Related Solutions

SSH – Difference Between authorized_keys and authorized_keys2

In OpenSSH prior to version 3, the sshd man page used to say:

The $HOME/.ssh/authorized_keys file lists the RSA keys that are permitted for RSA authentication in SSH protocols 1.3 and 1.5 Similarly, the $HOME/.ssh/authorized_keys2 file lists the DSA and RSA keys that are permitted for public key authentication (PubkeyAuthentication) in SSH protocol 2.0.

The release announcement for version 3 states that authorized_keys2 is deprecated and all keys should be put in the authorized_keys file.

Ssh – How to update OpenSSL using Putty and yum command

As a worst-case scenario, you could always just compile your own version of openssl as an RPM for your system, and then rpm -ihv.

EDIT: Starting with the source file (.tar.gz), here's what you want to do:

1) Create a new directory to house the RPM hierarchy.

# mkdir -p myopenssl/BUILD myopenssl/RPMS myopenssl/SOURCES myopenssl/SPECS myopenssl/SRPMS

2) Go into the SOURCES directory, and download your source openssl.tar.gz

# cd myopenssl/SOURCES
# mv openssl.tar.gz myopenssl/SOURCES/

3) Create a spec file that provides the necessary metadata (you will need to verify all the values are correct)

--- spec ----
%define _topdir     /home/user/myopenssl
%define name            openssl
%define release     0
%define version     x.x
%define buildroot %{_topdir}/%{name}-%{version}-root

BuildRoot:  %{buildroot}
Summary:        openssl
License:        GPL
Name:           %{name}
Version:        %{version}
Release:        %{release}
Source:         %{name}-%{version}.tar.gz
Prefix:         /usr
Group:          Development/Tools

%description
Special build of openssl for centos.

%prep
%setup -q

%build
./configure
make

%install
make install prefix=$RPM_BUILD_ROOT/usr

%files
%defattr(-,root,root)
/usr/local/bin/openssl

%doc %attr(0444,root,root) /usr/local/share/man/man1/openssl.1

4) After you have a spec file, use the rpmbuild command to build your RPM

# rpmbuild -v -bb --clean myopenssl/SPECS/openssl.spec

5) Your RPM is built at this point... use the following command to look at the contents:

# rpm -Vp RPMS/i386/myopenssl.i386.rpm

6) To install it, run the following as root:

# rpm -ihv myopenssl.i386.rpm

Hope this helps!

Best Answer

Related Solutions

SSH – Difference Between authorized_keys and authorized_keys2

Ssh – How to update OpenSSL using Putty and yum command

Related Topic