LPK integration - summary and ideas

Dan Kaminsky dan at doxpara.com
Thu Jun 10 01:33:26 EST 2010


> What this should help against is (I think) that the external process gets
> hijacked to provide attacker-supplied authorization information.
>
> The original mail wanted to check some kind of signature; to make that
> easier I proposed to just start the process once, with sshd, so that a
> simple file rename isn't sufficient to gain access.
>

This is a false security boundary.  At the point where file renames work,
there is little that can be done to defend against attack.  (False security
boundaries are _incredibly_ dangerous, as they consume all oxygen as they're
repeatedly patched up.)

I could see some wisdom in requiring a full path to the ExternalAuthCommand
app, though, since we already have such a requirement for sshd itself.

--Dan


More information about the openssh-unix-dev mailing list