pavement

Talk:SSH, limiting to SCP or Rsync only

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
(security concern with scpftprsynconly)
(Security aspect)
Line 38: Line 38:
 
You should probably not rely on scpftprsynconly to PREVENT users from executing programs on your machine,
 
You should probably not rely on scpftprsynconly to PREVENT users from executing programs on your machine,
 
  ./scpsftprsynconly foo 'scp -S givemeshell asd asd:asd'  
 
  ./scpsftprsynconly foo 'scp -S givemeshell asd asd:asd'  
Will execute the givemeshell command with some obscure arguments. I haven't tried it with scpftprsynconly installed as a shell but it should be as easy as
+
Will execute the givemeshell command with some obscure arguments. To get a shell with this inplace, upload a script/program that reverse connect or what you want then just:
  ssh foohost 'scp -S givemeshell'.
+
  ssh foo@barhost "scp -S echo asd asd:asd"
  
 
Probably should mention this in the article..
 
Probably should mention this in the article..
  
 
--[[User:Ice|Ice]] 04:51, 4 November 2007 (EST)
 
--[[User:Ice|Ice]] 04:51, 4 November 2007 (EST)

Revision as of 06:06, 4 November 2007

Contents

just btw

# gcc scpsftprsynconly.c -o /usr/local/bin/scpsftprsynconly
scpsftprsynconly.c: In function ‘main’:
scpsftprsynconly.c:48: error: expected ‘)’ at end of input
scpsftprsynconly.c:48: error: expected declaration or statement at end of input
# 


tried running this on a centos box and this is what I'm getting. dubl-U Tee Eff Mmm8.

--Dave 12:25, 22 October 2007 (EDT)

just guessing, really

since I don't know shit, but I added a } before the #ifdef DEBUG section and now I'm getting:

[root@web ~]# gcc scpsftprsynconly.c -o /usr/local/bin/scpsftprsynconly
scpsftprsynconly.c:45: error: expected identifier or ‘(’ before ‘if’
scpsftprsynconly.c:49: error: expected identifier or ‘(’ before ‘if’
[root@web ~]# 

which is in the first lines of

        if (argc < 3) {
               printf (restrictmsg);
               return 1;
        }
       if ((strncmp (argv [2], "scp ", 4) != 0)

wha?

--Dave 13:41, 22 October 2007 (EDT)

somebody oopsed on a kill-the-spam edit

The problem you were having was that a good samaritan who manually edited the article to remove spam accidentally damaged the code a while back. I looked through history on the article and reverted to prior to the damage. --Jimbo 15:20, 22 October 2007 (EDT)

Security aspect

You should probably not rely on scpftprsynconly to PREVENT users from executing programs on your machine,

./scpsftprsynconly foo 'scp -S givemeshell asd asd:asd' 

Will execute the givemeshell command with some obscure arguments. To get a shell with this inplace, upload a script/program that reverse connect or what you want then just:

ssh foo@barhost "scp -S echo asd asd:asd"

Probably should mention this in the article..

--Ice 04:51, 4 November 2007 (EST)

Personal tools