OT: security of make as authorized_keys command

[Dave Burns]

On Dec 31, 2007 8:20 AM, Mikkel L. Ellertson <mikkel at infinity-ltd.com> wrote:
>
> Dave Burns wrote:
>>[snip]I put a key in my
> > .ssh/authorized_keys file like so:
> >
> > command="/usr/bin/make $SSH_ORIGINAL_COMMAND" ssh-rsa AAAAB3NzaC1[etc.etc.]
> >
> > so I can invoke make targets like so:
> >
> > ssh username at host target
> >
> > Assuming the bad guys never get my key, I am fine, even though it is
> > passwordless.
> >
> > What if a bad guy does get my key? Then I see three possible problems:
> >
> > 1) somehow use make's -F switch in ssh command to change Makefiles?
> > 2) stack overflow of make or ssh?
> > 3) Somehow put extra command after make target using ';' or something?
> >
> > And obviously the bad guy can invoke any of the targets in my
> > makefile, but I've made them pretty innocuous.
> >
> > So, should I seriously worry about any of these potential problems?
> > Any other holes I haven't thought of?
> >
> > The motivation for all this is some cron jobs I want to run, obviously
> > calls for a passwordless ssh key, but I want to put some limits on it.
> >
> > Thanks,
> > Dave
> >
> Instead of running make directly, run a script that does some
> checking on what is supplied. You could limit the directories that
> make could be run in, strip out any extra command, etc. (Search the
> line for a ; , then log and discard the command if it is found.) You
> could even disable the key if you get an invalid command.

Well, yeah, but this was what I was trying to avoid, having to predict
all sorts of attacks and do lots of parsing. If I agree that just
slapping $SSH_ORIGINAL_COMMAND into make without any parsing is too
risky, wouldn't it be better to just parse out the first alphanumeric
target name from $SSH_ORIGINAL_COMMAND and slap that into make? That
is, the target name starts at the beginning of $SSH_ORIGINAL_COMMAND
and is terminated by the first non-alphanumeric char. This restricts
it to one target at a time, but I don't mind. Then make does the rest
of the parsing for me, generating an error if the requested target
isn't defined. There's still a possibility of stack overflow, so I
still need to know if there are any particular risks to worry about
when make is given a humongous undefined target or ssh is given a
humongous command. Though you'd think that if sshd was going to blow
up due to excessive input, it would blow up on the sending side,
right?

> As added security, you can limit the IP address that the key is
> valid from, so the key would only be useful from a specific network.

I've done so, but I doubt it helps much  - I'd say by far the most
likely way for a bad guy to get his hands on my key would be to hack
the box where it lives, in which case this gives little extra
protection. that is, he can only attack from my machine, but we're
assuming he has the capability to do so.It becomes more likely that
I'll notice the activity, but I can't assume I'm safe.

Thanks for the reply,
Dave