AuthorizedKeysCommand support added
Alex Bligh
alex at alex.org.uk
Wed Oct 31 19:27:57 EST 2012
On 31 Oct 2012, at 08:01, Damien Miller wrote:
>>
>> Or have you by this time checked the username is in some way sane?
>
> It is only invoked if the user actually has an account on the host, so
> there is no risk of bad usernames percolating through to the helper.
My concern was partly the LDAP case where (at least with the ldap patches)
it lets you if there is an account on the LDAP server. I'm not sure whether
there is some form of escalation opportunity here. I think with the
Match group thing, perhaps not. Can we guarantee that the username is
a string for which getpwnam returns an entry? If so, perhaps this isn't
a problem, as if admins permit users with | `` < > $ {} etc in, then they
deserve all they get if they don't write safe scripts. It would be useful
to document that the script can rely on the fact that $1 is a username
for which getpwnam returned something sometime in the recent past.
--
Alex Bligh
More information about the openssh-unix-dev
mailing list