mailing list archives
rssh security announcement
From: Derek Martin <code () pizzashack org>
Date: Tue, 8 May 2012 12:24:52 -0500
rssh is a shell for restricting SSH access to a machine to only scp,
sftp, or a small set of similar applications.
Henrik Erkkonen has discovered that, through clever manipulation of
environment variables on the ssh command line, it is possible to
circumvent rssh. As far as I can tell, there is no way to effect a
root compromise, except of course if the root account is the one
you're attempting to protect with rssh...
This project is old, and I have no interest in continuing to maintain
it. I looked for easy solutions to the problem, but in discussing
them with Henrik, none which we found satisfactorily address the
problem. Fixing this properly will require more work than I want to
put into it.
Note in particular that ensuring that the AcceptEnv sshd configuration
option need not be turned on for this exploit to work.
Derek D. Martin
GPG Key ID: 0x81CFE75D
- rssh security announcement Derek Martin (May 09)