From owner-freebsd-security Sat Nov 16 7:31:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7089937B401 for ; Sat, 16 Nov 2002 07:31:21 -0800 (PST) Received: from totem.fix.no (totem.fix.no [80.91.32.29]) by mx1.FreeBSD.org (Postfix) with ESMTP id 02EFB43E91 for ; Sat, 16 Nov 2002 07:31:21 -0800 (PST) (envelope-from anders@totem.fix.no) Received: by totem.fix.no (Postfix, from userid 1000) id 1C54820248; Sat, 16 Nov 2002 16:31:25 +0100 (CET) Date: Sat, 16 Nov 2002 16:31:25 +0100 From: Anders Nordby To: security@FreeBSD.org Subject: Limiting commands to run with SSH key authorization Message-ID: <20021116153124.GA58620@totem.fix.no> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="G4iJoqBmSsgzjUCe" Content-Disposition: inline X-PGP-Key: http://anders.fix.no/pgp/ X-PGP-Key-FingerPrint: 1E0F C53C D8DF 6A8F EAAD 19C5 D12A BC9F 0083 5956 User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --G4iJoqBmSsgzjUCe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Howdy, I just finished a Perl program to verify whether the program intended for running through SSH with key based authorization: a) has only valid characters. b) matches an authorized_keys configurable regexp, if you want to be able to run for example "rsync --server WHATNOT. example authorized_keys: command="/usr/local/bin/checksshcmd -c \"^rsync --server \"" 1024 35 XXXXX.. foo@barhost If a and be are not satisfied, program intended to run will not. I've attached the program. I'd be happy to receive feedback on the security/usability of it, as you see it. Or if you have any improvements you can think of.. Sometimes you may need to allow the user to have som variations on the commands to use, this is an attempt to address that as opposed to just using command= some command that runs a specific command only. (Perl haters can go to /dev/null.) Cheers, -- Anders. --G4iJoqBmSsgzjUCe Content-Type: application/x-perl Content-Disposition: attachment; filename="checksshcmd.pl" Content-Transfer-Encoding: quoted-printable #! /usr/bin/perl -T=0A# anders@fix.no, 2002-11-13=0A=0A# do not include das= h to allow "-", it's hard-coded to be possible to use in=0A# the regexp (- = is normally a range)=0A$okchars =3D "a-zA-Z/. ";=0A=0Ause Getopt::Std;=0A$E= NV{PATH} =3D "/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"= ;=0Adelete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};=0A=0Asub enotallowed= =0A{=0A print "Not allowed to run program.\n";=0A exit 1;=0A}=0A=0Agetopts(= 'c:');=0A$runcmd =3D $ENV{SSH_ORIGINAL_COMMAND};=0A=0Aif ($runcmd =3D~ /^([= -$okchars]+)$/) {=0A $runcmd =3D $1;=0A} else {=0A enotallowed;=0A}=0A=0Aif= ((defined $opt_c) && ($ENV{SSH_ORIGINAL_COMMAND} =3D~ /$opt_c/)) {=0A exec= ($runcmd);=0A} else {=0A enotallowed;=0A}=0A --G4iJoqBmSsgzjUCe-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message