AW: AW: AuthorizedKeysCommand support added
Damien Miller
djm at mindrot.org
Thu Nov 1 07:44:32 EST 2012
On Wed, 31 Oct 2012, Fiedler Roman wrote:
> > Well, it would let you break into your own account.
>
> It would let you break in your own account if you just return your
> keys. Would spread harvoc if any fds from sshd other than stdout are
> open. I've just looked at the patch and are not quite sure if code
> might be vulnerable:
>
> You are switching uids before close of fds>STDERR+1. Is it possible to
>attach to the script between setresuid and closefrom? If kernel allows
>that, this would give access to all open sshd fds.
No sane kernel allows ptrace of processes that have changed uid or gid
by the destination uid or gid.
> > This is a risk of using
> > the target user for the login script, which is something we explicitly
> > recommend against.
>
> OK, then documentation is quite important: if I understand it
> right, the default will be this unsafe mode, unless one uses
> AuthorizedKeysCommandUser
yes, though "unsafe" is relative here. It would be nice to have a dedicated
_ssh_helper account or somesuch that we could rely on to be the default.
Perhaps it would be better to ship with no default whatsoever but support
%u as an option.
-d
More information about the openssh-unix-dev
mailing list