Security of "command=" in authorized_keys (ubuntu)

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have a user who needs me to do something for him in my linux account

The action taken uses the IP of the connection and no other input

To that end, we set up an entry in authorized_keys:

command="/my/" ssh-dsa ... his key ...

In other words, his key is not a general purpose access key but is
only allowed to run /my/

/my/ script does various work, using only one input from $SSH_CLIENT:

Quoted text here. Click to load it

etc etc. The script does not use command line arguments, or any other
environment variables, besides ones used by bash, ld-preload etc. The
actions actually taken by a script include running other scripts,

I am concerned whether this is secure and whether this can be
subverted somehow, say by overriding environment variables.

I have a feeling that it is safe, and yet, I want to double check.

PermitUserEnvironment is not defined.

I believe that SSH_CLIENT is set by sshd and can never be anything
other than an IP address followed by two numbers. (ie it cannot be
"`rm -rf /`" or some such).

What I am concerned with is, say his account is hacked. Can a hacker
somehow elevate privileges based on my script and execute arbitrary


Re: Security of "command=" in authorized_keys (ubuntu)

On Feb 3, 10:28=A0am, Ignoramus26563 <ignoramus26...@NOSPAM.
26563.invalid> wrote:

Quoted text here. Click to load it

I wouldn't trust the script to protect its permissions. I'll suggest
two better solutions:

1) Create a new user and a new group, put the new user in that group.
Create a program only executable by a member of that group that is
setuid to your user. Make that program sanitize the context and then
run your script.

2) Write a wrapper program to execute your script after sanitizing the
environment and parameters. Have the ssh key launch that wrapper
program rather than your script directly.

A a general rule, scripts for general-purpose shells do a lousy job of
protecting from privilege elevation attacks.


Re: Security of "command=" in authorized_keys (ubuntu)

Quoted text here. Click to load it

David, while you are right about such scripts when run from command
line, this script is not running from command line -- it runs from
restricted environment prepared for it by sshd for "command=" execution.

I would like to make the following statement:

  1) Remote user cannot alter environment of "command=" script
  2) SSH_CLIENT environment variable always contains a
     IP address in the first word

Then: my script should safely work because essentially no inputs from
user are taken, except for IP address in SSH_CLIENT.

What I would mainly like to find out is whether items 1 and 2 are


Re: Security of "command=" in authorized_keys (ubuntu)

Quoted text here. Click to load it

Even better, do this bit via userv: /

which works by having the directly invoked client program open a
Unix socket connection to a server which launches the real service
script. So there's no risk of accidentally incomplete sanitisation,
because here the environment and parameters are sanitised _by
default_: anything you do want to pass in has to be passed in
Simon Tatham         What do we want?        ROT13!

Re: Security of "command=" in authorized_keys (ubuntu)

On 03.02.2010 23:16, David Schwartz wrote:
Quoted text here. Click to load it

It sound like the use of SUDO thru a SSH connection.

Re: Security of "command=" in authorized_keys (ubuntu)

Quoted text here. Click to load it

Perl's taint mode can be used to deal with this.  You specify what
legal values are and unless that is matched it refuses to do anything
it thinks of as having external effects.

In addion to userv that was mentioned you could look into plash.

Elvis Notargiacomo  master AT barefaced DOT cheek /

Site Timeline