X11 forwarding after su'ing
Haan, de, Jan
Jan.de.Haan at Essent.nl
Fri Jun 6 21:33:44 EST 2003
> > 3. why not use ssh -X -l <thotheruserIwantedsuto?> <thehost>?
> Maybe, because -l root ain't that nice?
> Philipp
Sorry for refering so late to a (securityfocus) post, but the Subject
has been nagging me for the last month ;-) Problem was how to keep your
DISPLAY, xauth and security (no 'ssh root at host' over the net) when
changing users remotely (especially to root with su/sudo)
Comments please on the security side of this 'solution' and the
proposed feature request.
Solved it by running two sshd's, one started with "sshd -f sshd1_config"
with
"ListenAddress <hostname on ethx>"
"PermitRootLogin no"
"PidFile /var/run/ssh1.pid" <== That one bit me
... in the ass a few times ;-)
...
And another started with "sshd -f sshd2_config"
"ListenAddress dummy0"
"PermitRootLogin yes"
"PidFile /var/run/ssh2.pid"
dummy0 is the hostname of the ip address on a loopbackadapter
(Debian/GNU/Linux /etc/modules, dummy; HPUX/Sun ifconfig lo0:1;
winx msloopback adapter) which is not visible on the outside
(disabled in routing) Only one extra address/subnet (/30 ?) is
needed for an unlimited number of hosts since it can be
identical on all because it is not routed.
Access can be gained in two ways: generating two keys that you both
load in your ssh-agent or by adding your identity.pub to the
authorized_keys2 of the second remote user.
Proof of concept:
user1 at host1:/home/user1 >ssh -X host2
Linux host2 2.4.18-686 #1 Sun Apr 14 11:32:47 EST 2002 i686 unknown
Last login: Fri Jun 6 08:44:00 2003 from host1
user1 at host2:~$ ssh -X root at dummy0
Linux host2 2.4.18-686 #1 Sun Apr 14 11:32:47 EST 2002 i686 unknown
Last login: Fri Jun 6 11:25:25 2003 from dummy0
root at host2:/root >echo $DISPLAY
localhost:11.0
root at host2:/root >
and
user1 at host1:/home/user1 >ssh -X -f host2 'ssh -X -f root at dummy0
/usr/bin/X11/xterm'
works too.
Feature request
This kludge (2 daemons) would not have to be used if the posibility existed
of
using a combined "AllowUsers" and "ListenAddress" parameter (ACL's ?)
for instance:
ACL
[allow|deny],[dns|host|ipaddress|range[:port]],[user|group],[dns|host|ipaddr
ess|range[:port]]
ACL allow, hostname, root, dummy0
ACL deny, *, !root, dummy0
ACL allow, *, !root, *
ACL deny, *, *, * (sorry, Cisco heritage showing ;-) )
Sincerely,
Jan.
More information about the openssh-unix-dev
mailing list