LPK integration - summary and ideas
Dan Kaminsky
dan at doxpara.com
Thu Jun 10 01:33:26 EST 2010
> What this should help against is (I think) that the external process gets
> hijacked to provide attacker-supplied authorization information.
>
> The original mail wanted to check some kind of signature; to make that
> easier I proposed to just start the process once, with sshd, so that a
> simple file rename isn't sufficient to gain access.
>
This is a false security boundary. At the point where file renames work,
there is little that can be done to defend against attack. (False security
boundaries are _incredibly_ dangerous, as they consume all oxygen as they're
repeatedly patched up.)
I could see some wisdom in requiring a full path to the ExternalAuthCommand
app, though, since we already have such a requirement for sshd itself.
--Dan
More information about the openssh-unix-dev
mailing list