Default auth_key_file is insecure
#17
Comments
|
That quite depends on your threat model, but make sense if your ssh daemon rely on Following the sshd configuration would make sense: Regarding the example in the liked PR, I feel like the provided example is misleading as the user account used to "elevate" privileges is allowed to run any command as root… so it just make it possible without knowing the user password (while a correct sudo config would not have allowed the user to run any command as root in any case). |
|
@smortex The point is, it turns “user is allowed $thing if they authenticate with a trusted pubkey” into “user is allowed $thing unconditionally.” The PAM module is bypassed, and if the administrator's intent was the later, they wouldn't have used |
|
It may be good to mention that point explicitly in the Config section of This works if I specify in However, when I specify: then I get: I guess I'm doing something wrong here? |
A process running as a given user can (in most cases) modify
~/.ssh/authorized_keys, for instance to add a new key they control before invoking whatever is usingpam_rssh, subverting the authentication it is supposed to provide.NixOS/nixpkgs#31611 provides an example (ab)using this to bypass
pam_ssh_agent_authin the context ofsudo, which I believe would work similarly againstpam_rssh.The text was updated successfully, but these errors were encountered: