From owner-freebsd-security@FreeBSD.ORG Wed Jun 9 14:52:46 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4CA3416A4CE; Wed, 9 Jun 2004 14:52:46 +0000 (GMT) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 285B643D2D; Wed, 9 Jun 2004 14:52:46 +0000 (GMT) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (c-24-6-187-112.client.comcast.net[24.6.187.112]) by comcast.net (rwcrmhc11) with ESMTP id <2004060914523001300963i5e>; Wed, 9 Jun 2004 14:52:36 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.11/8.12.8) with ESMTP id i59EqUp9028132; Wed, 9 Jun 2004 07:52:31 -0700 (PDT) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.11/8.12.11/Submit) id i59EqOFt028131; Wed, 9 Jun 2004 07:52:24 -0700 (PDT) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Wed, 9 Jun 2004 07:52:23 -0700 From: "Crist J. Clark" To: Doug Barton Message-ID: <20040609145223.GA53862@blossom.cjclark.org> References: <20040518160517.GA10067@therub.org> <20040520033024.GA26640@therub.org> <20040606233720.F1850@ync.qbhto.arg> <20040607204149.GC75747@blossom.cjclark.org> <20040609050217.Q5839@ync.qbhto.arg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040609050217.Q5839@ync.qbhto.arg> User-Agent: Mutt/1.4.2.1i X-URL: http://people.freebsd.org/~cjc/ X-Mailman-Approved-At: Mon, 14 Jun 2004 10:38:14 +0000 cc: "freebsd-security@freebsd.org" cc: Remko Lodder cc: "David E. Meier" cc: Dan Rue Subject: Re: [Freebsd-security] Re: Multi-User Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cjclark@alum.mit.edu List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jun 2004 14:52:46 -0000 On Wed, Jun 09, 2004 at 05:03:02AM -0700, Doug Barton wrote: > On Mon, 7 Jun 2004, Crist J. Clark wrote: > > >On Sun, Jun 06, 2004 at 11:38:55PM -0700, Doug Barton wrote: > >>On Wed, 19 May 2004, Dan Rue wrote: > >> > >>>You obviously havn't tried to chroot scponly users.. _that's_ the tricky > >>>part. Especially if you want it to scale up beyond a handful of users. > >>>If i'm wrong - fill me in i'd love to hear how to do it. > >> > >>Have you considered using ~/.ssh/authorized_keys to restrict the account > >>from tty access? This would allow you to do commands (like scp) without > >>the risk of the user getting an actual shell. > > > > $ ssh host /bin/sh > > > >You don't need a tty to get an interactive shell. > > You can also enforce what commands the user can run to prevent this. > Read sshd(8) for more information. If you are talking about the "command" option for an authorized key, that is a useful functionality, but it does not really apply to the scp(1) case. If there is some other way to restrict the commands a user can execute via sshd(8) (besides passing the user to a restricted shell or other external control), I'm sorry, but I'm not catching on. Using command restrictions for authorized keys doesn't work for scp(1) since doing, $ scp host1:file1 file2 Actually runs, $ ssh host1 scp -f file1 As far as the SSH client-server interaction goes, you cannot specify a command in the authorized keys file and still have scp(1) work. Also due to the fact scp(1) works in this manner, any "scp-only" setup has to be able to defeat, $ ssh host1:'file1; command arg1 ..' file2 For example, try, $ scp host1:'/etc/motd; touch scp_test' /dev/null And check for 'scp_test' in the user's home directory on the server. To do scp-only, you either need (a) a hacked up sshd(8) daemon, (b) a jailed environment, or (c) a special shell for the user that only allows scp(1) to run. The funny thing is, I think (c) is probably the easiest to implement on a mass scale, but seems to be the option most seldom considered. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org