On 30.06.23 00:06, MCMANUS, MICHAEL P wrote:
An authorized penetration tester brought to my attention that the private key embedded in the application can be extracted and used to launch a WinSCP session against the user ID which the client uses to send the data to the server.
As it happens, I have a system using dedicated keypairs and forced commands configured for them to extract survey data from CentOS 7 boxes, so let me try that ...
$ ssh -t -q autoquest@bongo -p 29056 -i .ssh/id_uptime_ed25519 16881100661684949224 685215 0
$ sftp -P 29056 -i .ssh/id_uptime_ed25519 -q autoquest@bongo Received message too long 825636920
Hm. Some specific quirk of WinSCP, maybe ... ? [grabs Win10 box] [updates WinSCP to 6.1.1] [adds keypair to both ends]... gets me an error (-> screenshot) suggesting that it received the output from the forced command, and logs that the sshd has indeed run the forced command. Sorry, cannot confirm so far ...
I ran the client as is and received the following entry in the log: Command: 2>/dev/null
That's a weird, I'd even say nonfunctional, remote command, and makes me suspect that your ssh command has a syntax problem ... ?
Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev