LPK integration - summary and ideas

Philipp Marek philipp.marek at linbit.com
Thu Jun 10 16:20:52 EST 2010


Hello Dan,

Am Mittwoch, 9. Juni 2010, 17:33:26 schrieb Dan Kaminsky:
> > What this should help against is (I think) that the external process
> > gets hijacked to provide attacker-supplied authorization information.
> > 
> > The original mail wanted to check some kind of signature; to make that
> > easier I proposed to just start the process once, with sshd, so that a
> > simple file rename isn't sufficient to gain access.
> This is a false security boundary.  At the point where file renames work,
> there is little that can be done to defend against attack.  
Well, that was just a guess on my side.

As I wrote, the mail at
	http://marc.info/?l=openssh-unix-dev&m=125655418812760&w=2
had a few lines discussion about (hash/signature) verification of the 
AuthorizedKeysCommand.

But as you'd have to check every library that might be loaded (including 
libnss*), even checking for LD_LIBRARY_PATH and so on, this might not be 
realistic.

So I proposed to only start the program once - that should provide 
sufficient security, I think, because /usr/sbin/sshd could be attacked the 
same way.


> I could see some wisdom in requiring a full path to the
> ExternalAuthCommand app, though, since we already have such a
> requirement for sshd itself.
Ok, fine.


Regards,

Phil


More information about the openssh-unix-dev mailing list