On Tue, Sep 05, 2006 at 12:04:07PM -0500, Mark Holden wrote:
I forgot to mention that we're using RHEL AS3 (currently at update 8)
and RHEL AS4 (currently at update 4). Does scponly support these
distributions?
rssh does.
From a quick read of the scponly web page:
- it seems to indiate that SFTP will work as well--is that actually the
case?
Yes. It also does with rssh.
- it appears to require a chroot'd environment.
I can't speak for scponly; but rssh does not require chroot, though it
does support chroot.
- I assume this would be a patched to the openssh package? Or is it
simply installing the scponly shell on the system and pointing that user
id at that shell in /etc/passwd?
With both scponly and rssh, it is the latter.
By the way, the pizzashack reference seems to indicate that there are
security risks, so that concerns me. Does "scponly" have security risks
as well?
There are security issues with rssh, only if you do not follow the
directions carefully. The biggest issue is that with older versions
of OpenSSH, there is no way to prevent a user from creating their own
environment file on the server, which allows them to run arbitrary
commands when they connect via ssh, thus defeating rssh (and scponly).
This is not a design flaw in rssh, but an unavoidable interaction with
older versions of OpenSSH. There is a solution, which I have
documented, but it's kind of a pain in the a$$.
The second biggest reason is that in order to chroot(2), you need root
privileges. If you are careful to set it up properly, there are no
known problems. The trouble is, many sysadmins just want to get
things up and running quickly, don't read the documentation, and don't
realize they have misconfigured things in a way which can lead to a
compromize. I say this is only second, because there are no known
bugs or expliots for the current code, and after careful review of the
code, I don't believe there ever will be any found again (he says
nervously). ^^;
The third biggest reason is that people really really wanted CVS
support in rssh, so I gave it to them. But CVS supports "triggers",
which can be used to run arbitrary programs, so rssh can be
circumvented. However, that can be prevented if the sysadmin
configures a chroot jail and disallows the execution of programs on
the filesystem where the jail lives. This is a documented issue, as
is the solution...
I will say I wrote rssh in part because I thought Joe's approach to
scponly was more complicated and hard to audit, making it potentially
more risky and easier to miss bugs in the code which might allow a
root compromize or circumvention. Both rssh and scponly do
essentially the same thing; so both suffer equally from the issues
above. However scponly allows the user to do more, so it may have
additional issues which rssh does not. I designed rssh to be very
restrictive from the beginning, in order to minimize the number of
issues that needed to be considered to get the design right. The code
for rssh is compact and simple, specifically to make problems easier
to avoid in the first place, and to find when they do occur. At the
time I wrote rssh, scponly had certain weaknesses which rssh was
designed specifically to avoid. In truth though, both programs have
had their share of security issues in the past, as a search on
securityfocus will reveal.
My suggestion to anyone trying to choose between the two is to get
both, read the documentation for both, and if possible read the code;
then make up your own mind. Obviously I think my program is better
and safer, or I would not have written it. ;-)
--
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D
pgpanA3C8dCYt.pgp
Description: PGP signature
