AuthorizedKeysCommand support added
Damien Miller
djm at mindrot.org
Thu Nov 1 02:55:57 EST 2012
On Wed, 31 Oct 2012, Alex Bligh wrote:
>
> On 31 Oct 2012, at 08:01, Damien Miller wrote:
>
> >>
> >> Or have you by this time checked the username is in some way sane?
> >
> > It is only invoked if the user actually has an account on the host, so
> > there is no risk of bad usernames percolating through to the helper.
>
> My concern was partly the LDAP case where (at least with the ldap patches)
> it lets you if there is an account on the LDAP server. I'm not sure whether
> there is some form of escalation opportunity here. I think with the
> Match group thing, perhaps not. Can we guarantee that the username is
> a string for which getpwnam returns an entry?
Yes.
> If so, perhaps this isn't
> a problem, as if admins permit users with | `` < > $ {} etc in, then they
> deserve all they get if they don't write safe scripts. It would be useful
> to document that the script can rely on the fact that $1 is a username
> for which getpwnam returned something sometime in the recent past.
I'd rather leave them paranoid if it encourages proper care :)
-d
More information about the openssh-unix-dev
mailing list