From owner-freebsd-security Tue Feb 19 16:29: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from goofy.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 71EFE37B400 for ; Tue, 19 Feb 2002 16:28:59 -0800 (PST) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Tue, 19 Feb 2002 16:28:58 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA02FFF442@goofy.epylon.lan> From: Jason DiCioccio To: "'andy@sambolian.net.nz'" , freebsd-security@freebsd.org Subject: RE: SSH proxy Date: Tue, 19 Feb 2002 16:28:50 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One thing i can think of, which might not have any security implications if you're running it as their login shell through sshd. But, you'll probably want to set stuff like PATH and LD_LIBRARY_PATH in the script (more importantly path) so that the path couldn't be poisoned and the script couldn't be tricked into going to find those binaries in other places. Might not affect you in this case, but usually a good thing to do. Cheers, - -JD- - -----Original Message----- From: andy@sambolian.net.nz [mailto:andy@sambolian.net.nz] Sent: Tuesday, February 19, 2002 4:21 PM To: freebsd-security@freebsd.org Subject: SSH proxy Hi I have a fbsd gateway at home through which I share our cable modem with my flatmates. They have their own boxes on the lan and ssh to them from work. At the moment we log into the gateway and from there ssh to the box we want. I have made a shell script to automate this, and have set it as the default shell for our accounts on the gateway. It all works well but I would like to know if there is a better way and also if there is a security rish with the way I have done it now. Here is the script.... #!/bin/sh echo echo --------------------------------------- echo ------------ SSH Proxy ---------------- echo --------------------------------------- echo SSH=/usr/bin/ssh DEFAULTUSER=`whoami` DEFAULTHOST=`cat ~/.sshproxyhost 2> /dev/null` echo -n Enter username [${DEFAULTUSER}]: read USERNAME echo -n Enter host [${DEFAULTHOST}]: read HOSTNAME if [ -z ${USERNAME} ]; then USERNAME=${DEFAULTUSER} fi if [ -z ${HOSTNAME} ]; then HOSTNAME=${DEFAULTHOST} fi if [ -z ${HOSTNAME} ]; then echo "Can not determine the hostname" exit 1 fi echo ${HOSTNAME} > ~/.sshproxyhost ${SSH} -l ${USERNAME} ${HOSTNAME} exit 0 cheers Andrew - ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPHLvlr8+wXo6G32BEQKT9gCfaa5n1Xbe+l7ceFSCUISG+7PdylUAnjJW VLpWe+A2rtwJUT/LGlONiFZA =JW7W -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message