| 204 | } |
| 205 | |
| 206 | func (s *sessionHandler) OnSubsystem( |
| 207 | requestID uint64, |
| 208 | subsystem string, |
| 209 | ) error { |
| 210 | mode := s.getPolicy(s.config.Subsystem.Mode) |
| 211 | switch mode { |
| 212 | case config2.ExecutionPolicyDisable: |
| 213 | err := message.UserMessage( |
| 214 | message.ESecuritySubsystemRejected, |
| 215 | "Subsystem execution disabled.", |
| 216 | "Subsystem execution is disabled in the security settings.", |
| 217 | ) |
| 218 | s.logger.Debug(err) |
| 219 | return err |
| 220 | case config2.ExecutionPolicyFilter: |
| 221 | if !s.contains(s.config.Subsystem.Allow, subsystem) { |
| 222 | err := message.UserMessage( |
| 223 | message.ESecuritySubsystemRejected, |
| 224 | "Subsystem execution disabled.", |
| 225 | "The specified subsystem does not match the allowed subsystems list.", |
| 226 | ) |
| 227 | s.logger.Debug(err) |
| 228 | return err |
| 229 | } |
| 230 | case config2.ExecutionPolicyEnable: |
| 231 | if s.contains(s.config.Subsystem.Deny, subsystem) { |
| 232 | err := message.UserMessage( |
| 233 | message.ESecuritySubsystemRejected, |
| 234 | "Subsystem execution disabled.", |
| 235 | "The subsystem execution is rejected because the specified subsystem matches the deny list.", |
| 236 | ) |
| 237 | s.logger.Debug(err) |
| 238 | return err |
| 239 | } |
| 240 | default: |
| 241 | } |
| 242 | if s.config.ForceCommand == "" { |
| 243 | return s.backend.OnSubsystem(requestID, subsystem) |
| 244 | } |
| 245 | if err := s.backend.OnEnvRequest(requestID, "SSH_ORIGINAL_COMMAND", subsystem); err != nil { |
| 246 | err := message.WrapUser( |
| 247 | err, |
| 248 | message.ESecurityFailedSetEnv, |
| 249 | "Could not execute program.", |
| 250 | "Command execution failed because the security layer could not set the SSH_ORIGINAL_COMMAND variable.", |
| 251 | ) |
| 252 | s.logger.Error(err) |
| 253 | return err |
| 254 | } |
| 255 | s.logger.Debug( |
| 256 | message.NewMessage( |
| 257 | message.MSecurityForcingCommand, |
| 258 | "Forcing command execution to %s", |
| 259 | s.config.ForceCommand, |
| 260 | )) |
| 261 | return s.backend.OnExecRequest(requestID, s.config.ForceCommand) |
| 262 | } |
| 263 | |