Re: rssh Vulnerability: Command Execution with allowscp
Brought to you by:
xystrus
Menu
▾
▴
Re: rssh Vulnerability: Command Execution with allowscp
|
From: Russ A. <ea...@ey...> - 2019-02-13 02:02:41
|
Derek Martin <co...@pi...> writes: > I believe the patch fails to solve case #2 (the user specifies > PKCS11Provider in ~/.ssh/config), which I believe can only be mitigated > by preventing the user from uploading such a file, e.g. by providing a > "safe" one for the user which is owned by root, not writable by the > user, and having the parent (.ssh) directory also not owned by the user > and not writable by the user. This wouldn't surprise me, but could you explain more about why you say that? I don't see anything in scp that would pay attention to the PKCS11Provider configuration in ~/.ssh/config, so as long as scp doesn't run ssh, I'm not seeing the mechanism whereby this code would be loaded. The code to load it seems to only be in ssh.c. > Making sure that the user's ssh config files are not modifiable by the > user is a standard part of securing rssh, so if the above is done > correctly, IIUC rssh should not actually be vulnerable to this attack at > all. It is, as it has always been, the system administrator's > responsibility to make sure their system is properly configured to > prevent such breaches. I've always tried to offer guidance regarding > that, but I've also been very clear (i.e. in the man page) that it's the > sysadmin's responsibility to stay current with the various services that > are used with rssh, and to configure them properly to prevent bypassing > rssh. This is a fair point, and perhaps it's not worth the effort of trying to provide a security guarantee if the user can add files to .ssh or to the user's home directory. -- Russ Allbery (ea...@ey...) <http://www.eyrie.org/~eagle/> |
