tech-security: Re: setuid ssh

Subject: Re: setuid ssh
To: None <tech-security@netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: tech-security
Date: 10/18/2000 12:12:55
  by mail.netbsd.org with SMTP; 18 Oct 2000 16:12:59 -0000
	via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp
	(sender: <woods@proven.weird.com>) (ident <[7yes4FL3gHxkY/4Z+6H0md1EmjEJ+/fs]> using rfc1413)
	id <m13lvpp-000gCGC@most.weird.com>
	for <tech-security@netbsd.org>; Wed, 18 Oct 2000 12:12:57 -0400 (EDT)
	(Smail-3.2.0.112-Pre 2000-Feb-17 #1 built 2000-Oct-4)
	id 7D8CF4; Wed, 18 Oct 2000 12:12:55 -0400 (EDT)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: woods@weird.com (Greg A. Woods)
To: tech-security@netbsd.org
Subject: Re: setuid ssh
In-Reply-To: <20001018102640.A293@noc.untraceable.net>
References: <atatat@atatdot.net>
	<20001018142031.6072B2A2A@orchard.arlington.ma.us>
	<20001018102640.A293@noc.untraceable.net>
Reply-To: tech-security@NetBSD.ORG (NetBSD Security Technical Discussion List)
Organization: Planix, Inc.; Toronto, Ontario; Canada
Message-Id: <20001018161255.7D8CF4@proven.weird.com>
Date: Wed, 18 Oct 2000 12:12:55 -0400 (EDT)

[ On Wednesday, October 18, 2000 at 10:26:40 (-0400), Andrew Brown wrote: ]
> Subject: Re: setuid ssh
>
> but to digress further, what would be better, imho, would be if
> something "similar" to rhosts existed, but allowed me to specify an
> rsa key (for rsa authenticaion) along with the host, and perhaps even
> whether or not a remote command is required/refused/optional.  i had a
> case where some people should be allowed to remote execute things, but
> certainly not to log in.  that one was fun.

That's easy.  Put something like this in the target user's
~/.ssh/authorised_keys.  Replace the zeros with originating user's
public key (~/.ssh/identity.pub).  Make sure the the target user has a
login of /sbin/nologin.  Oh, and fix your sshd to properly use /bin/sh
when executing "command=".  Patch to 1.2.27 available from:

	ftp://ftp.weird.com/pub/local/ssh-1.2.27.planix.2-Patch

# only allow woods to initiate an rsync of his ~/public_html
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,environment="SHELL=/bin/sh",command="/usr/pkg/bin/rsync --rsync-path=/usr/pkg/bin/rsync -vv -rlptHSW --delete --safe-links woods@proven:public_html ." 1024 33 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 woods@proven

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>