SSH files that can bite you in the ass

Today, I learned about the existence of ~/.ssh/rc and some of its side effects.

Today, Dave couldn’t figure out why he was unable to launch an X application from a machine we both use. We both started looking into it, and it looked like xauth wasn’t being called to update the .Xauthority file. We spent a good half hour or more looking around trying to figure out if it was a bug in OpenSSH on his mac, or one on the Linux server, if xauth was wonky, or what other small differences there were between his server side environment and mine.

During the search I found this post on a Debian mailing list. It was a red herring as it had us investigating a few dead ends. However, it did point out to my mind the existence of the ~/.ssh/rc file. Up until this point, I didn’t know of this files existence. Anyway, while looking in ~dave/.ssh/ I saw he had such a file.

To quote from the man page:

$HOME/.ssh/rc
Commands in this file are executed by ssh when the user logs in
just before the user’s shell (or command) is started. See the
sshd(8) manual page for more information.

There was an emacs backup file (rc~) there, which I looked into. At one time Dave used it to set a umask for all his connections that came in via ssh. For whatever reason, he must have decided that was not doing what he wanted, so he removed the umask line, but didn’t remove the file. Because the file existed, ssh was trying to execute the commands in it, and since there was nothing in it, ssh did nothing and dumped him to a shell.

From the behavior of ssh, it appears there is a “default” rc that happens if you don’t have one or one doesn’t exist in /etc/ssh. One of the tasks of this default includes calling xauth if you’re doing X11 forwarding. By having an empty file there, Dave was bypassing all of it. I haven’t taken the time to see what other side effects came about from that, but there must not have been much, as Dave hadn’t noticed it since last April (at least according to the mod time on the rc file.)

Dave just IMed me and told me to look at the sshd man page and see the following:

When a user successfully logs in, sshd does the following:
[snip]
8. If $HOME/.ssh/rc exists, runs it; else if /etc/ssh/sshrc
exists, runs it; otherwise runs xauth. The “rc” files are
given the X11 authentication protocol and cookie in standard
input.

One other thing we learned in this is that xauth is dumb dumb stupid. xauth won’t create a .Xauthority file if there is nothing to put into it, such as when you call “xauth list” when a file doesn’t exist. However, if you do an “xauth list” and you don’t have a .Xauthority file, xauth spits out a diagnostic message saying its creating it. In reality, it doesn’t really create the file. Bad coding on someone’s part. This wasted us time, as we though it was xauth that was broken, not Dave’s ssh environment. One could argue that xauth IS broken by demonstrating this behavior, but that’s a different rant.

2 thoughts on “SSH files that can bite you in the ass”

  1. Thanks Keith, those rc files in the man page never registered in my brain, but now I’m thinking of various nefarious uses for them. Just have to remember to write to standard error, not standout out with any of them, as per man pages.

Leave a Reply