SSH_ORIGINAL_COMMAND not set for second command

[snweiss]

OpenSSH for Windows" version 7.7.2.0

Server OperatingSystem Windows 10 Enterprise.

Client OperatingSystem Windows 10 Enterprise.

What is failing When executing a second command in the same session, sshd does not update the SSH_ORIGINAL_COMMAND environment variable.

After setting up a ForceCommand configuration, the issue can be replicated using the following python snippet.

import paramiko cl = paramiko.client.SSHClient() cl.load_system_host_keys() cl.connect("<IP>", username="<USER>", password="<PASSWORD>") cl.exec_command("ipconfig") cl.exec_command("ping 127.0.0.1")

It seems that the issue is in do_exec_windows where the environment is updated only once per session.

Expected output SSHD executes ipconfig and then ping.

Actual output SSHD executes ipconfig twice.

[ShaZeh]

This actually seems to do what I would expect it to do, the goal of this function is meant to restrict the client to one command. I am currently planning on using this to prevent the user from being able to execute anything except one specific command to prevent any vulnerabilities, allowing users to execute anything afterward would entierly defeat the purpose of this configuration server side. You can already specify a command to execute client side upon successful connection.

ForceCommand Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution.

[snweiss]

@ShaZeh I'd expect the forced command to be executed each time, so it doesn't defeat the purpose, and the server can then allow multiple "safe" commands on a single session. This seems to be the current behavior on UNIX (https://github.com/openssh/openssh-portable/blob/master/session.c)