AW: AW: AuthorizedKeysCommand support added

Damien Miller djm at
Thu Nov 1 07:44:32 EST 2012

On Wed, 31 Oct 2012, Fiedler Roman wrote:

> > Well, it would let you break into your own account.
> It would let you break in your own account if you just return your
> keys. Would spread harvoc if any fds from sshd other than stdout are
> open. I've just looked at the patch and are not quite sure if code
> might be vulnerable:
> You are switching uids before close of fds>STDERR+1. Is it possible to
>attach to the script between setresuid and closefrom? If kernel allows
>that, this would give access to all open sshd fds.

No sane kernel allows ptrace of processes that have changed uid or gid
by the destination uid or gid.

> > This is a risk of using
> > the target user for the login script, which is something we explicitly
> > recommend against.
> OK, then documentation is quite important: if I understand it
> right, the default will be this unsafe mode, unless one uses
> AuthorizedKeysCommandUser

yes, though "unsafe" is relative here. It would be nice to have a dedicated
_ssh_helper account or somesuch that we could rely on to be the default.

Perhaps it would be better to ship with no default whatsoever but support
%u as an option.


More information about the openssh-unix-dev mailing list