Re: AuthorizedKeysCommand size issue?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 2014-04-15 12:31, Daniel Kahn Gillmor wrote:
On 04/15/2014 09:47 AM, Dag-Erling Smørgrav wrote:
Or even 'echo "$(curl ...)"'

This is potentially dangerous if curl produces a string that starts with
a hyphen ("-"); in this case, echo will interpret the string as a set of
option flags instead of as an argument to be repeated.

You might prefer:

   printf "%s "$(curl ...)"

But i do also share damien's general automatic aversion to using curl in
this context, *especially* over cleartext HTTP.  yikes!



I appreciate the concern, but:

- this is using S3, so https,

- the only access anybody but Amazon has to S3 is upload/download content to it. If somebody get hold of our keys to access S3, they can actually shutdown our instances (VMs) anyway. I'm sure the S3 servers have potential vulnerabilities, but this is way less likely than with an average web server with ssh access exposed to the net.

- this would be strictly from AWS instances using DNS from Amazon (who owns S3), and DNS is done over AWS private network, which means it is very unlikely that somebody will hijack DNS

--
Yves.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev





[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux