Derek Martin <c...@pizzashack.org> writes: > I believe the patch fails to solve case #2 (the user specifies > PKCS11Provider in ~/.ssh/config), which I believe can only be mitigated > by preventing the user from uploading such a file, e.g. by providing a > "safe" one for the user which is owned by root, not writable by the > user, and having the parent (.ssh) directory also not owned by the user > and not writable by the user.
This wouldn't surprise me, but could you explain more about why you say that? I don't see anything in scp that would pay attention to the PKCS11Provider configuration in ~/.ssh/config, so as long as scp doesn't run ssh, I'm not seeing the mechanism whereby this code would be loaded. The code to load it seems to only be in ssh.c. > Making sure that the user's ssh config files are not modifiable by the > user is a standard part of securing rssh, so if the above is done > correctly, IIUC rssh should not actually be vulnerable to this attack at > all. It is, as it has always been, the system administrator's > responsibility to make sure their system is properly configured to > prevent such breaches. I've always tried to offer guidance regarding > that, but I've also been very clear (i.e. in the man page) that it's the > sysadmin's responsibility to stay current with the various services that > are used with rssh, and to configure them properly to prevent bypassing > rssh. This is a fair point, and perhaps it's not worth the effort of trying to provide a security guarantee if the user can add files to .ssh or to the user's home directory. -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/> _______________________________________________ rssh-discuss mailing list rssh-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rssh-discuss
