f



Why is PermitLocalCommand set to 'no' by default?

Reading ssh_config manual, I discovered local commands and PermitLocalCommand being set to 'no' by default.

Then I started to wonder how PermitLocalCommand set to 'yes' could be a security risk.

1. If I already have my hands on the keyboard, why would I enter escape mode then !command to perform something malicious instead of exiting the session and do harm on the computer?

2. I failed to see how those escape commands could be triggered from a malicious remote server

Can someone please tell my what I overlooked?

Thanks,
Gregory
0
UTF
8/18/2016 7:31:42 PM
comp.security.ssh 4228 articles. 0 followers. terra1024 (490) is leader. Post Follow

5 Replies
502 Views

Similar Articles

[PageSpeed] 1

Grégory Pakosz <gregory.pakosz@gmail.com> writes:
> Then I started to wonder how PermitLocalCommand set to 'yes' could be
> a security risk.
>
> 1. If I already have my hands on the keyboard, why would I enter
> escape mode then !command to perform something malicious instead of
> exiting the session and do harm on the computer?

Perhaps the session wasn’t started by a shell.

-- 
http://www.greenend.org.uk/rjk/
0
Richard
8/18/2016 8:26:51 PM
> > Then I started to wonder how PermitLocalCommand set to 'yes' could be
> > a security risk.
> >
> > 1. If I already have my hands on the keyboard, why would I enter
> > escape mode then !command to perform something malicious instead of
> > exiting the session and do harm on the computer?
>=20
> Perhaps the session wasn=E2=80=99t started by a shell.
>=20
> --=20
> http://www.greenend.org.uk/rjk/

Sorry to insist but even if the session isn't started by a shell (then by w=
hat?), doesn't having my hands on the keyboard settle it?
0
UTF
8/19/2016 7:45:42 AM
Grégory Pakosz <gregory.pakosz@gmail.com> writes:
>>> Then I started to wonder how PermitLocalCommand set to 'yes' could be
>>> a security risk.
>>>
>>> 1. If I already have my hands on the keyboard, why would I enter
>>> escape mode then !command to perform something malicious instead of
>>> exiting the session and do harm on the computer?
>> 
>> Perhaps the session wasn’t started by a shell.
>
> Sorry to insist but even if the session isn't started by a shell (then
> by what?),

Hypothetically, some program that lets you SSH to somewhere but doesn’t
do anything else.

> doesn't having my hands on the keyboard settle it?

I don’t see why.  What do you propose to type?

-- 
http://www.greenend.org.uk/rjk/
0
Richard
8/19/2016 8:47:29 AM
> >>> Then I started to wonder how PermitLocalCommand set to 'yes' could be
> >>> a security risk.
> >>>
> >>> 1. If I already have my hands on the keyboard, why would I enter
> >>> escape mode then !command to perform something malicious instead of
> >>> exiting the session and do harm on the computer?
> >>=20
> >> Perhaps the session wasn=E2=80=99t started by a shell.
> >
> > Sorry to insist but even if the session isn't started by a shell (then
> > by what?),
>=20
> Hypothetically, some program that lets you SSH to somewhere but doesn=E2=
=80=99t
> do anything else.
>=20
> > doesn't having my hands on the keyboard settle it?
>=20
> I don=E2=80=99t see why.  What do you propose to type?
>=20
> --=20
> http://www.greenend.org.uk/rjk/

I believe I'm failing at imagining a situation where I'm locked into a prog=
ram that has SSHed into a remote server and being truly locked into it and =
not being able to launch anything else (a custom command, a terminal, ...) =
locally.
0
UTF
8/19/2016 10:57:49 AM
Gr�gory Pakosz <gregory.pakosz@gmail.com> writes:

> Reading ssh_config manual, I discovered local commands and PermitLocalCommand being set to 'no' by default.
>
> Then I started to wonder how PermitLocalCommand set to 'yes' could be a security risk.
>
> 1. If I already have my hands on the keyboard, why would I enter escape mode then !command to perform something malicious instead of exiting the session and do harm on the computer?
>
> 2. I failed to see how those escape commands could be triggered from a malicious remote server
>
> Can someone please tell my what I overlooked?

I *think* that some term-control seqences can set terminal to strange
state, in which it can interpret chars from server as "pressed" keys.
But it is only my thought.
KJ

-- 
http://wolnelektury.pl/wesprzyj/teraz/
"Any excuse will serve a tyrant."
		-- Aesop
0
kjonca
8/23/2016 8:17:10 PM
Reply: