Re: OT: security of make as authorized_keys command

Manuel Arostegui Ramirez wrote:

Morning Dave,

This is such a dangerous thing, I have to say.
First off, and regarding to the fact of what a bad guy could do...
If he had acces to $command it means it would be able to know the key,
so he can log in without a problem in the remote machine (not just
executing remote commands which would involve a wee bit of experience
in Linux enviroments to know the remote paths and all that, if he got
access to the machine it would be easier. I hope I´m explaining myself
quite clear).

I don't believe this is true. From the sshd man page:

command="command"
Specifies that the command is executed whenever this key is
used for authentication. The command supplied by the user (if
any) is ignored. The command is run on a pty if the client
requests a pty; otherwise it is run without a tty. If an 8-bit
clean channel is required, one must not request a pty or should
specify no-pty. A quote may be included in the command by
quoting it with a backslash. This option might be useful to
restrict certain public keys to perform just a specific
operation. An example might be a key that permits remote backups
but nothing else. Note that the client may specify TCP and/or
X11 forwarding unless they are explicitly prohibited. Note that
this option applies to shell, command or subsystem execution.

Mikkel
--

Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

Attachment: signature.asc
Description: OpenPGP digital signature

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • [UNIX] GNU Mailutils Multiple Vulnerabilities (Buffer Overflows, Format String, DoS)
    ... execute arbitrary code from remote using the GNU Mailutils programs. ... Remote exploitation of a format string vulnerability in the imap4d server ... The vulnerability specifically exists in the handling of the command tag ...
    (Securiteam)
  • RV: remote tape with ontape (dd command) fail after openssh install
    ... I solved the permission denied of root remote command adding remote host to ... The source of problem has to do with the post installation openssh. ...
    (comp.databases.informix)
  • Re: who flags on OSR5
    ... logged in user with command: ... On a box with about 220 users, all but 5 remote in terms of being not within ... Checking a few other smaller boxes shows almost the same thing. ... Sometimes my own ssh session shows up, sometimes nothing at all is retruned ...
    (comp.unix.sco.misc)
  • Re: Binding TCP ports
    ... and see the prompt of the remote machine ... # This is the ssh client system-wide configuration file. ... # or on the command line. ... The use of 'gssapi' is deprecated due to the ...
    (comp.os.linux.networking)
  • Re: error messages in mce 2005, why?
    ... The remote is considered optional, since you can order an MCE PC without a tuner. ... Most vendors like Sony, Dell, Compaq consider the remote an option. ... Execute the command regsvr32.exe atl.dll ...
    (microsoft.public.windows.mediacenter)