On 03/21/2014 07:59 PM, Eldon Koyle wrote: > It looks like they are all over the place. See: > http://www.in-ulm.de/~mascheck/various/argmax/#results > for some actual numbers (however a lot of those seem to be pretty > obscure *NIX variants). nice find. With the exception of a few operating systems from the 1970s (on which OpenSSH is unlikely to run anyway), those are all at least 5KiB, which is about double the largest possible key size generated by OpenSSH's ssh-keygen. > You can check sysconf(_SC_ARG_MAX) to get an idea of the size limit. > See: > http://www.in-ulm.de/~mascheck/various/argmax/ > for more detailed information. > > Also, setenv/putenv should return an error rather than overflow the > buffer if the variable is too large. similarly, exec should fail with E2BIG if the data is too large. So this is testable at runtime, when the peer sends a large key; in the event that the variable is too large, AuthorizedKeysCommand would simply fail closed. I think this is reasonable. We could also deliberately constrain the key size, and decline to execute AuthorizedKeysCommand (or execute it without passing any key as an environment variable or argument) if the client's proposed key is larger than the largest key generated by ssh-keygen (16Kib at the moment). This strikes me as a reasonable limit. > The only other concern would be a buffer overflow in the > AuthorizedKeysCommand. See: > https://www.owasp.org/index.php/Buffer_Overflow_via_Environment_Variables > for an example. sure, but this is a risk whether the data comes in via environment variables or stdin or argv or a local file, right? Given the discussion, i'm still leaning toward either an environment variable or argv. given that we're already using argv for the username, i think a second argv parameter would be the cleanest. --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
