LPK integration - summary and ideas
Philipp Marek
philipp.marek at linbit.com
Thu Jun 10 16:20:52 EST 2010
Hello Dan,
Am Mittwoch, 9. Juni 2010, 17:33:26 schrieb Dan Kaminsky:
> > What this should help against is (I think) that the external process
> > gets hijacked to provide attacker-supplied authorization information.
> >
> > The original mail wanted to check some kind of signature; to make that
> > easier I proposed to just start the process once, with sshd, so that a
> > simple file rename isn't sufficient to gain access.
> This is a false security boundary. At the point where file renames work,
> there is little that can be done to defend against attack.
Well, that was just a guess on my side.
As I wrote, the mail at
http://marc.info/?l=openssh-unix-dev&m=125655418812760&w=2
had a few lines discussion about (hash/signature) verification of the
AuthorizedKeysCommand.
But as you'd have to check every library that might be loaded (including
libnss*), even checking for LD_LIBRARY_PATH and so on, this might not be
realistic.
So I proposed to only start the program once - that should provide
sufficient security, I think, because /usr/sbin/sshd could be attacked the
same way.
> I could see some wisdom in requiring a full path to the
> ExternalAuthCommand app, though, since we already have such a
> requirement for sshd itself.
Ok, fine.
Regards,
Phil
More information about the openssh-unix-dev
mailing list