Mail Archives: cygwin/2003/07/09/18:06:10
Mark,
This is interesting- it points to a missing part of my description of
the situation. I guess this would be called the "security model" of
this situation: what is trusted and what is not trusted.
In this situation, the commands (running as "administrator) executed by
SSH on behalf of the remote user are assumed "trusted", but the (Windows)
commands excuted by the non-administrator on the local machine are not
trusted. We would like to guard against an attempt by a non-administrator
on the local machine to subvert the remote execution of a program via SSH
running as administrator.
I think you are right- if it is the incoming SSH connection that is not
trusted, it is much better to restrict the commands available than to
try to protect the machine itself (including Cygwin) from subversion.
Thanks,
Jon
|
|Jon,
|
|This is coming from a different angle, but have you
|thought of tightening security using the SSH server
|instead? I think you are considering opening up an
|interactive session using SSH in order to execute
|arbitrary commands on the remote system. However, you can
|configure ssh on a per-account basis to use forced
|commands rather than executing whatever program the user
|wants. You can write a script to parse the command sent
|by the user and then execute the appropriate program. You
|can also disable tty and interactive sessions. It seems
|like this might be a simpler approach than trying to
|restrict what an ssh user can do in an interactive session.
|
|The O'Reilly book "SSH, the Secure Shell: The Definitive
|Guide" (see
|http://safari.oreilly.com/0596000111) is an excellent
|source for how to do this.
|
|-Mark
|
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -