On Thu, Jan 17, 2019 at 07:00:21PM -0800, Russ Allbery wrote: > Here is a COMPLETELY UNTESTED patch that might fix this problem. If I can > find the time, I'll try to do some testing and patch the Debian package. > > If anyone else who is still using rssh has a chance to look at this, test, > do code review, etc., that would be much appreciated. This is based on > looking at the source code of OpenSSH 7.9p1, so it's entirely possible > that other versions need to pass other arguments that aren't accepted > here.
I believe the patch fails to solve case #2 (the user specifies PKCS11Provider in ~/.ssh/config), which I believe can only be mitigated by preventing the user from uploading such a file, e.g. by providing a "safe" one for the user which is owned by root, not writable by the user, and having the parent (.ssh) directory also not owned by the user and not writable by the user. Another way to mitigate this, I believe, is to specify the system's correct PKCS11Provider (or, I believe, a completely bogus one) in the user's authorized_keys file, in the options field of every authorized key, which overrides whatever the user asked for. Again, the file must not be modifiable by the user. Making sure that the user's ssh config files are not modifiable by the user is a standard part of securing rssh, so if the above is done correctly, IIUC rssh should not actually be vulnerable to this attack at all. It is, as it has always been, the system administrator's responsibility to make sure their system is properly configured to prevent such breaches. I've always tried to offer guidance regarding that, but I've also been very clear (i.e. in the man page) that it's the sysadmin's responsibility to stay current with the various services that are used with rssh, and to configure them properly to prevent bypassing rssh. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D
pgpWAR3LYG4hM.pgp
Description: PGP signature
_______________________________________________ rssh-discuss mailing list rssh-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rssh-discuss
