From owner-freebsd-security Thu Mar 28 1: 4:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from axis.tdd.lt (axis.tdd.lt [213.197.128.94]) by hub.freebsd.org (Postfix) with ESMTP id BB77E37B404 for ; Thu, 28 Mar 2002 01:04:44 -0800 (PST) Received: from localhost (midom@localhost) by axis.tdd.lt (8.11.6/8.11.6) with ESMTP id g2S93pD29346; Thu, 28 Mar 2002 11:03:51 +0200 (EET) (envelope-from domas.mituzas@delfi.lt) X-Authentication-Warning: axis.tdd.lt: midom owned process doing -bs Date: Thu, 28 Mar 2002 11:03:51 +0200 (EET) From: Domas Mituzas X-X-Sender: midom@axis.tdd.lt To: Jason Stone Cc: Fernan Aguero , FreeBSD Security Subject: Re: using ssh to run remote commands? In-Reply-To: <20020328003857.J5333-100000@walter> Message-ID: <20020328105535.W10792-100000@axis.tdd.lt> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I've been using my simplified shell for theese reasons. I use it for invoking programs/scripts in ~/bin/ (owned not by user). Here's the small source. Keep in mind it understands whitespace separated strings as different arguments, but it isn't my trouble actually. It is called dsh (dumb shell, dammit-shell, delfi-shell, whatever :) and is main component of my service http://shells.dammit.lt/ (sorry all content is in Lithuanian, but you'd find it really amusing =) Right now I'm also implementing kind of sexec idea - passing of argv as binary data structure via ssh tunnels and calling exec on remote side. Of course that should introduce additional check, as right now ability to exec is specified by how user's shell interprets -c argument. This security issue can be easily resolved by AllowExec parameter in sshd.conf. dumbsh was intermediate step to normal secure remote procedure call. BR, Domas /* $Id: main.c,v 1.6 2001/11/03 14:33:23 midom Exp $ */ #include #include #include #define MAXARGS 10 #define ONLY "bin/" int main(int ac, char **av) { char **ap, *argv[MAXARGS], *is; /* * skip first two arguments - the first gives shell name, that we * know and the second gives "-c" that we also know */ av += 2; is = av[0]; if (ac < 2) exit(0); /* build argv from stupid string */ for (ap = argv; (*ap = (char *) strsep(&is, " \t")) != NULL;) if (**ap != '\0') if (++ap >= &argv[MAXARGS]) break; /* check for l33t guys */ if (strstr(argv[0], "..") != NULL) { printf("breakin attempt\n"); exit(0); } /* limiting access and running program */ if (!strncmp(argv[0], ONLY, strlen(ONLY) - 1)) execv(argv[0], argv); return (1); } > You can't - ssh will always try to run a command by calling the user's > shell, so unless you patch it, you _must_ give the user a valid shell. > > The best you can do is to give the user a valid shell but an invalid > password (eg, "*") and use ssh keys to authenticate. For additional > security, you can specify a command along with the key in the > authorized_keys file so that the key can _only_ be used to run that > command (and not to get a shell). man ssh, ssh-keygen. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message