OT: security of make as authorized_keys command
- From: "Dave Burns" <tburns@xxxxxxxxxx>
- Date: Sun, 30 Dec 2007 15:19:47 -1000
I should probably ask this on an ssh oriented list, but I thought I'd
try my luck here first.
I want to do some remote commands securely. I put a key in my
.ssh/authorized_keys file like so:
command="/usr/bin/make $SSH_ORIGINAL_COMMAND" ssh-rsa AAAAB3NzaC1[etc.etc.]
so I can invoke make targets like so:
ssh username@host target
Assuming the bad guys never get my key, I am fine, even though it is
passwordless.
What if a bad guy does get my key? Then I see three possible problems:
1) somehow use make's -F switch in ssh command to change Makefiles?
2) stack overflow of make or ssh?
3) Somehow put extra command after make target using ';' or something?
And obviously the bad guy can invoke any of the targets in my
makefile, but I've made them pretty innocuous.
So, should I seriously worry about any of these potential problems?
Any other holes I haven't thought of?
The motivation for all this is some cron jobs I want to run, obviously
calls for a passwordless ssh key, but I want to put some limits on it.
Thanks,
Dave
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
- Follow-Ups:
- Re: OT: security of make as authorized_keys command
- From: Mikkel L. Ellertson
- Re: OT: security of make as authorized_keys command
- From: Manuel Arostegui Ramirez
- Re: OT: security of make as authorized_keys command
- Prev by Date: Re: desktop manager death via livecd-creator
- Next by Date: The mystery of WiFi
- Previous by thread: desktop manager death via livecd-creator
- Next by thread: Re: OT: security of make as authorized_keys command
- Index(es):
Relevant Pages
- RE: midnight commander and ssh sftp
... midnight commander and ssh sftp ... which is displayed at the bottom of the
MC panel. ... "Left file command options right" at the top of the MC ...
MC SSH session with the remote host by hitting F10 key. ... (freebsd-questions) - Re: [Info-ingres] problems with ssh
... Check the SSHD log on the server for errors. ... ancient version of SSH,
unfortunately. ... the command seems to have functioned - but just wont terminate and leaves
a process hanging around. ... Duckman: You got anymore of those glues? ... (comp.databases.ingres) - Scripts using SSH and SSH_ASKPASS
... To test SSH scripts you better destroy the control TTY. ... The trick is to
run YOUR script on YOUR local ... As for the password relaying command: this needs
not be an X command. ... # we read one line from a temporary pipe. ... (comp.security.ssh) - Re: embedding sshd into a server
... Right now it listens on a ... Copy the normal ssh config files to a new
"privatessh" config: ... A simple way to force a certain command is to change ...
(comp.security.ssh) - Re: Controlling servers (e.g. apache, samba)
... is a nightmare with Ubuntu, and is as difficult to remove as Norton on ... what
do the developers/maintainers suggest? ... Apache - command line via ssh only -
never found a web interface to ... IPTables - command line via ssh only - never found a
web interface to ... (Ubuntu)
