Re: OT: security of make as authorized_keys command

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2007/12/31, Dave Burns <tburns@xxxxxxxxxx>:
> I should probably ask this on an ssh oriented list, but I thought I'd
> try my luck here first.
>
> I want to do some remote commands securely. I put a key in my
> .ssh/authorized_keys file like so:
>
> command="/usr/bin/make $SSH_ORIGINAL_COMMAND" ssh-rsa AAAAB3NzaC1[etc.etc.]
>
> so I can invoke make targets like so:
>
> ssh username@host target
>
> Assuming the bad guys never get my key, I am fine, even though it is
> passwordless.
>
> What if a bad guy does get my key? Then I see three possible problems:
>
> 1) somehow use make's -F switch in ssh command to change Makefiles?
> 2) stack overflow of make or ssh?
> 3) Somehow put extra command after make target using ';' or something?
>
> And obviously the bad guy can invoke any of the targets in my
> makefile, but I've made them pretty innocuous.
>
> So, should I seriously worry about any of these potential problems?
> Any other holes I haven't thought of?
>
> The motivation for all this is some cron jobs I want to run, obviously
> calls for a passwordless ssh key, but I want to put some limits on it.
>

Morning Dave,

This is such a dangerous thing, I have to say.
First off, and regarding to the fact of what a bad guy could do...
If he had acces to $command it means it would be able to know the key,
so he can log in without a problem in the remote machine (not just
executing remote commands which would involve a wee bit of experience
in Linux enviroments to know the remote paths and all that, if he got
access to the machine it would be easier. I hope I´m explaining myself
quite clear).

Secondly, keeping in mind he would log into as a user, he could change
makefiles owned by the user, and compile them, most likely, which lead
us to the fack being able to do really nasty things in your system.

I don´t see the point actually in doing what you´re doing to run cron
jobs in the remote machine, why don´t you just use the cron, It was
designed for that, what´s the point of running remote commands and
letting the key visible?

You asked if you should worry about all that. I´d do it.
We don´t know, yet, in which scenario all this is running into, if
you´re doing this between two system in your home, without being
exposed to the internet or with some kinda iptables rules to allow ssh
connections from one IP and all that..you know, we could let it go.
But from my point of view, and even being a small scenario (I really
want to hope you´re not using this in a production enviroment or
proffesional ones..), people should be concerned as much as possible
that someone can compromise your system, whether it is a small network
at home or a company huge network, it is much better to do not play
with fire. It is not too much effort to do things in a good way,
you´ll feel safer and you´d not let your network to be on risk,
techinically it will be, either if you do it good or bad (everybody
knows any machine on the internet is on risk), but it will be less
risky if you do things well.

Hope this helps.
Manuel.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux