Date: Mon, 2 Nov 1998 00:00:23 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: "Jan B. Koum " <jkb@best.com> Cc: Peter Jeremy <peter.jeremy@auss2.alcatel.com.au>, freebsd-security@FreeBSD.ORG, winter@jurai.net Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) Message-ID: <Pine.BSF.3.96.981101235643.12128A-100000@fledge.watson.org> In-Reply-To: <19981101192724.A26335@best.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 1 Nov 1998, Jan B. Koum wrote: > > The problem with C is that there are too many ways to shoot yourself > > in the foot... A full security audit on ssh (which it sounds like it > > might need) would be fairly time-consuming. > > Which is why when you install ssh, you can run ./configure with > "--disable-suid-ssh" argument. I imagine that the concern in the rootshell case is more that the daemon must run as root. It needs to do so for three reasons (that I can think of offhand): 1) To bind port 22 2) To read the system-wide SSH private key and most importantly: 3) To allow it to acquire the priveledges of the user who is logging in An alternative might be to have SSH run as non-root, give it a capability to have it bind 22, have the private key readable by that user, and then have it set up sockets to login (I don't know it can allocate vty's as non-root?) Then you don't get the SSH RSA-key behavior, but you'd get the rest. In a sense though, this is equivilent because: a buffer overflow allows the subversion of that SSH account, then that can be used to attach via debugging to the other sshd sessions to grab authentication information being forwarded to login. I guess you lose either way. Sensitive code (such as authentication code) must be written carefully. Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981101235643.12128A-100000>