Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Dev

Disabling $HOME/.ssh/rc

  

 
OpenSSH dev RSS feed   Index | Next | Previous | View Threaded


lists at spuddy

Oct 22, 2009, 9:07 AM

Post #1 of 3 (195 views)
Permalink
Disabling $HOME/.ssh/rc
Sorry if this is a silly question, but I couldn't see how to stop this.

I'm concerned with the use of ~/.ssh/rc and similar files. The problem
is that if $HOME is on an NFS server then this essentially means user
accounts can be compromised due to ssh activity, or a locked down account
(command= restrictions) may be able to exceed it's expected access rights.

We already put authorized_keys into /etc (painful; means every host needs
touching) and would like to be able to prevent other types of non-approved
execution.

Ideas?

Thanks!

--

rgds
Stephen
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev[at]mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


scott_n at xypro

Oct 22, 2009, 11:25 AM

Post #2 of 3 (173 views)
Permalink
RE: Disabling $HOME/.ssh/rc [In reply to]
> Sorry if this is a silly question, but I couldn't see how to stop
this.
>
> I'm concerned with the use of ~/.ssh/rc and similar files. The
> problem is that if $HOME is on an NFS server then this essentially
> means user accounts can be compromised due to ssh activity, or a
> locked down account (command= restrictions) may be able to exceed it's

> expected access rights.
>
> We already put authorized_keys into /etc (painful; means every host
> needs
> touching) and would like to be able to prevent other types of non-
> approved execution.
>

Guess what? You get to edit and distribute authorized_keys again. If
you look at the man for sshd, in the authorized_keys section, you see
that you can add no-user-rc as a comment on any particular key.



_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev[at]mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


lists at spuddy

Oct 22, 2009, 12:19 PM

Post #3 of 3 (172 views)
Permalink
Re: Disabling $HOME/.ssh/rc [In reply to]
On Thu, Oct 22, 2009 at 11:25:07AM -0700, Scott Neugroschl wrote:
> > I'm concerned with the use of ~/.ssh/rc and similar files. The
> > problem is that if $HOME is on an NFS server then this essentially
> > means user accounts can be compromised due to ssh activity, or a
> > locked down account (command= restrictions) may be able to exceed it's
> > expected access rights.

> Guess what? You get to edit and distribute authorized_keys again. If
> you look at the man for sshd, in the authorized_keys section, you see
> that you can add no-user-rc as a comment on any particular key.

*google**google*

Hmm, that came in with 4.9p1 ?

Unfortunately the product we're using (which I believe runs a modified sshd)
uses 4.3p2. Hmm.

Maybe we should push the vendor to upgrade!

Thanks.

Rgds
Stephen
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev[at]mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.