Re: OT: security of make as authorized_keys command

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Manuel Arostegui Ramirez wrote:
> 
> Morning Dave,
> 
> This is such a dangerous thing, I have to say.
> First off, and regarding to the fact of what a bad guy could do...
> If he had acces to $command it means it would be able to know the key,
> so he can log in without a problem in the remote machine (not just
> executing remote commands which would involve a wee bit of experience
> in Linux enviroments to know the remote paths and all that, if he got
> access to the machine it would be easier. I hope I´m explaining myself
> quite clear).
> 
I don't believe this is true. From the sshd man page:

command="command"
     Specifies that the command is executed whenever this key is
     used for authentication. The command supplied by the user (if
     any) is ignored. The command is run on a pty if the client
     requests a pty; otherwise it is run without a tty. If an 8-bit
     clean channel is required, one must not request a pty or should
     specify no-pty. A quote may be included in the command by
     quoting it with a backslash. This option might be useful to
    restrict certain public keys to perform just a specific
    operation. An example might be a key that permits remote backups
    but nothing else. Note that the client may specify TCP and/or
    X11 forwarding unless they are explicitly prohibited.  Note that
    this option applies to shell, command or subsystem execution.

Mikkel
-- 

  Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux