Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: /tmp rather than /home, attacks?

from [Mark Senior] Network Security [Permanent Link]
Subject: Re: /tmp rather than /home, attacks?
Date: Mon, 19 Mar 2007 16:01:25 -0600
On 13 Mar 2007 00:41:45 +0100, Thomas Hafner wrote: 
Hello,

having an option like
 ControlPath ~/.ssh/control/%r@%h:%p
is probably not a good idea, if the user's home directory is shared by
different machines (name collision for similiar outgoing SSH
connections). Something like that
 ControlPath /tmp/ssh-control-%r@%h:%p
should be better, because the directory /tmp is always local to the
machine. But will that enable symlink attacks? (e.g. somehow is
guessing the name before and creates an appropriate symlink to a file
to be corrupted.) Or is there another, better solution?

I'm using that version (ssh -v):
OpenSSH_4.3p2 Debian-5ubuntu1, OpenSSL 0.9.8b 04 May 2006

Regards
 Thomas


I've got the impression that you can't create a unix domain socket on
an NFS mounted file system - so if users' home directories are under
NFS, I have an impression that the control socket would not be created
at all.  I could be quite mistaken though.

Also, as I understand it, anyone on the client machine who can have
access to the unix socket at ControlPath, can become the user on the
server machine - so attacks that do something tricky with permissions
could also become a possibility.

You can always put %l into the ControlPath, so it would identify both
the local and remote machines.  Then only if you have two machines
that think they have the same hostname should there be a problem.

Regards
Mark

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Why does sshd on fedora 5 reject public key exchange, m . griffiths
Next by Date:  Remote Port Forwarding problem, Sumit Singhal
Previous by Thread:  /tmp rather than /home, attacks?, Thomas Hafner
Next by Thread:  First time SSH user having trouble with key pair - "No more authentication methods to try", Shane O'Connor
Indexes:  [Date] [Thread] [Top] [All Lists]