Request for a Lockdown option
raf
ssh at raf.org
Thu Jul 4 10:13:04 AEST 2024
On Wed, Jul 03, 2024 at 07:18:33PM +0000, Manon Goo <manon.goo at dg-i.net> wrote:
> Dear OpenSSH developers,
>
> Thanks a lot for your work on OpenSSH. We use it a lot and it is very
> helpful for our daily work. Would it be possible to have a lockdown
> option as a workaround in case of a remotely exploitable problem in
> ssh. This may help react to compromised keys/passwords, configuration
> issues, software bugs or other problems for example when Debian broke
> ssh .
>
> [...]
> Kind Regards,
> Manon
Something that might help you is my sshdo program
(github.com/raforg/sshdo). It mitigates private key
compromise but only for cases where ssh is used to
remotely execute an arbitrary fixed set of commands
(e.g. scripted tasks or cronjobs). It doesn't help for
interactive ssh use. It gets used as a forced command
and it can automatically learn what commands are needed
and then only allow those commands. It can also unlearn
commands that are no longer in use. It's very easy to
use and prevents ssh being used for any command that has
not previously been allowed.
cheers,
raf
More information about the openssh-unix-dev
mailing list