Re: ssh

On Wed, Oct 31, 2007 at 03:09:36PM +0000, Daniel Bye wrote:
On Wed, Oct 31, 2007 at 03:23:57PM +0100, Michael Grant wrote:
Yeah, I misread your problem. Are you saying that you want to su to root,
but still have some variables set as they were on the account you sued from?
So you have a user named Michael, say, and you su to root, but when you ssh
you want Michael's .ssh to be the effective one?

Well sort of. When I su, $HOME is set to my homedir and $USER set to
mgrant. This is fine. However, ssh (when sued) doesn't read
$HOME/.ssh, it reads /root/.ssh. And it's not defaulting to logging
into the remote machine as $USER, it tries to log in as root. It does
this because it's hardwired in the code more or less as follows (I've
extracted the relevant code from ssh.c):

original_real_uid = getuid();
pw = getpwuid(original_real_uid);
sprintf(buf, "%s/%s", pw->pw_dir, "ssh-config");
read_config_file(buf);
options.user = strdup(pw->pw_name);

Like I said, it seems like a bug to me. Personally I would have done
a getenv("HOME") and getenv("USER") myself instead of depending on the
userid. Probably they had good reason for doing it the way they did
it.

Probably to do with the fact that both $HOME and $USER can be set by the
user to any arbitrary value:

[daniel@torus:~] --->$ echo $USER $HOME
daniel /home/daniel
[daniel@torus:~] --->$ USER=root
[daniel@torus:~] --->$ HOME=/root
[daniel@torus:/home/daniel] --->$ echo $USER $HOME
root /root
[daniel@torus:/home/daniel] --->$ cd
[daniel@torus:~] --->$ pwd
/root

Not so good for security!

Dan

But the same effect can be achieved by specifying the identity file:

ssh -i /root/.ssh/id_dsa

So this file still needs appropriate permissions to prevent misuse by
other users. I'm pretty curious to know why the developers chose this
path. If it's not actually a bug, but a security concern, then it
would be a good learning experience for me!

Erik
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • RE: Linux hacked
    ... Also, what exactly did the history file show, can you paste it into a mail ... > First let me say I'm a security novice. ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
    (Security-Basics)
  • Re: Enabling telnet, ftp, pop3 for root...
    ... passwords - the root and the user password. ... excuse your 'security' by obscurity. ... On my system, someone coming in on ssh, if they even get that far, ... It's easy to forge hostnames in a local network, ...
    (alt.os.linux)
  • Re: Security of using sudo rather than su?
    ... root privileges by cracking one password ... over ssh). ... then he'd su and have full root priviledges. ... grave security risk - a junior person has complete access to ...
    (Ubuntu)
  • Re: rlogin = true for root
    ... > I am reviewing AIX security and noted root account's rlogin was set to true ... Does this have any security exposures? ... Disable telnet and rsh completely and only allow ssh. ...
    (comp.security.unix)
  • RE: Linux hacked
    ... Subject: Linux hacked ... After you boot up into the OS running from CD, ... >> First let me say I'm a security novice. ... >> been unsuccessful in getting root back. ...
    (Security-Basics)