Subject: Re: setuid ssh
To: Andrew Brown <atatat@atatdot.net>
From: Greg A. Woods <woods@weird.com>
List: tech-security
Date: 10/19/2000 15:57:07
by mail.netbsd.org with SMTP; 19 Oct 2000 19:57:38 -0000
via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp
(sender: <woods@proven.weird.com>) (ident <[unMfG+iq3GpldOVcQ4a0iH9fM+tDjmut]> using rfc1413)
id <m13mLoP-000g6HC@most.weird.com>
for <tech-security@netbsd.org>; Thu, 19 Oct 2000 15:57:13 -0400 (EDT)
(Smail-3.2.0.112-Pre 2000-Feb-17 #1 built 2000-Oct-4)
id 895E24; Thu, 19 Oct 2000 15:57:07 -0400 (EDT)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: woods@weird.com (Greg A. Woods)
To: Andrew Brown <atatat@atatdot.net>
Cc: NetBSD Security Technical Discussion List <tech-security@netbsd.org>
Subject: Re: setuid ssh
In-Reply-To: <20001018223810.A6338@noc.untraceable.net>
References: <atatat@atatdot.net>
<20001018142031.6072B2A2A@orchard.arlington.ma.us>
<20001018102640.A293@noc.untraceable.net>
<20001018161255.7D8CF4@proven.weird.com>
<20001018223810.A6338@noc.untraceable.net>
Reply-To: tech-security@NetBSD.ORG (NetBSD Security Technical Discussion List)
Organization: Planix, Inc.; Toronto, Ontario; Canada
Message-Id: <20001019195707.895E24@proven.weird.com>
Date: Thu, 19 Oct 2000 15:57:07 -0400 (EDT)
[ On Wednesday, October 18, 2000 at 22:38:10 (-0400), Andrew Brown wrote: ]
> Subject: Re: setuid ssh
>
> >That's easy. Put something like this in the target user's
> >~/.ssh/authorised_keys. Replace the zeros with originating user's
> >public key (~/.ssh/identity.pub). Make sure the the target user has a
> >login of /sbin/nologin. Oh, and fix your sshd to properly use /bin/sh
> >when executing "command=". Patch to 1.2.27 available from:
> >
> > ftp://ftp.weird.com/pub/local/ssh-1.2.27.planix.2-Patch
>
> that's a rather weighty patch...not one i'd feel comfortable (or the
> inclination of) installing on a lot of machines.
It includes all the bug fixes necessary for 1.2.27, plus a couple of my
own bug fixes.
I'm sure you can find the important bits that make forced command
execution work properly and manually apply them to your own version of
SSH should you so choose.
> and "properly use /bin/sh when executing" is wrong. plain wrong. it
> should be using *my* shell.
NO!!!!! You're forgetting what the heck you're doing here. You MUST
NOT EVER use the user's shell when executing a forced command!
Hopefully that shell will be /sbin/nologin, but even if it's not the
intent here is to mimic system(3). SSH is BROKEN without my patch and
the forced-command feature is totally useless for the requirements you
stated.
The intent here is to allow an administrator to set up an account that
can only be used via SSH to execute one authorised command (which
hopefully itself has no security vulnerabilities that would permit such
SSH users to go the next step and execute arbitrary commands).
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>