scp not tolerant of extraneous shell messages

Nicolas.Williams at ubsw.com Nicolas.Williams at ubsw.com
Wed Jul 3 03:30:55 EST 2002


On Tue, July 02 2002, Dan Kaminsky wrote:
> OK, so I modify my .profile to execute arbitrary commands.  Look mah, 
> every time I access a file on a machine, it's "implied" that 
> I have the 
> right to execute stuff on it too.
> 
> You *do* realize this is the kind of logic that's cursed us 
> with macro 
> virii, right?

No. I don't see the connection to macro virii.

> *Sigh* SFTP executes from lower security (command execution) 
> to higher 
> security (file exchange).  It's actually less secure than FTP.

A lot of things work this way. As long as the shell command
line is built securely and the shell setup (including
/etc/profile and ~/.profile) is secure there is nothing wrong.

Yes, users can shoot their feet and legs off if you let them.

Use a restricted shell if you must.

Perhaps SSHD should be configurable with respect to how sub-
systems are started - in fact, I don't why why it shouldn't be
so (though someone is bound to complain about code and config
option bloat...).

> The fix involves detecting an SFTP client in the connection headers, 
> launching an SSHD that refuses to do anything *but* run 
> sftp-server, and 
> removing all exec style functionality from it.  That gives us a clean 
> file transfer environment w/ SSH-class comm security.

You can't detect the client's intention to run SFTP until
after the SSHv2 connection setup, which kinda means you must
run SSHD first.

> --Dan


Nico
-- 

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.




More information about the openssh-unix-dev mailing list