Re: rssh Vulnerability: Command Execution with allowscp
Brought to you by:
xystrus
From: Derek M. <co...@pi...> - 2019-01-23 21:21:21
|
On Thu, Jan 17, 2019 at 07:00:21PM -0800, Russ Allbery wrote: > Honestly, those of us still using this program should probably abandon it > and find some other solution. Yes, although given how hard solving this problem actually is, I don't think there exists any workable solution (for the general case--see below). By the way, AFAICT, the only reasonable alternative to RSSH I know of is scponly, and it looks like it was last updated less recently than RSSH was. I can't speak to how good a job it does at closing up all the holes as I've not tried to evaluate that since circa 2003. > The programs it tries to support are rather ill-behaved and make > this sort of security model almost impossible to maintain, as > witness by the fact that things like this keep coming up. You have no idea. Well, OK, *YOU* have some idea. =8^) The task wass complicated further by people continually asking for support for additional programs or features (which pretty much universally were very obviously not securable, FWIW), and my own caving to some of those requests (CVS, rsync in particular) when I should've known better... As Russ says, these things keep cropping up, as OS features, OpenSSH features, or features of the other tools RSSH is meant to safeguard, evolve. A robust solution would really require the OpenSSH folks to take this problem seriously and build in support to their own tools. Trying to provide a generalized solution is too complicated, and I've long since lost interest in solving the problem. [OpenSSH sort of does this now, since I believe OpenSSH 4.9, including chroot, but AFAIK only for sftp--another reason I "deprioritized" working on RSSH.] For serious security applications, RSSH should be considered insecurable, and unmaintained, from this point on. One of these days, I should really get around to updating the website to reflect that... My thanks to Russ for his efforts with the Debian package, and for providing some level of support when I was not paying much attention, for so long. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |