Re: X11 forwarding after su'ing

• Previous message: sparhawk_at_beyond.nu: "Tape backup through ssh"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: secureshell@securityfocus.com
Date: Fri, 6 Jun 2003 13:33:44 +0200 

> > 3. why not use ssh -X -l <thotheruserIwantedsuto?> <thehost>?
> Maybe, because -l root ain't that nice?

> Philipp

Sorry for refering so late to a (securityfocus) post, but the Subject
has been nagging me for the last month ;-) Problem was how to keep your
DISPLAY, xauth and security (no 'ssh root@host' over the net) when
changing users remotely (especially to root with su/sudo)

Comments please on the security side of this 'solution' and the
proposed feature request.

Solved it by running two sshd's, one started with "sshd -f sshd1_config"
with
"ListenAddress <hostname on ethx>"
"PermitRootLogin no"
"PidFile /var/run/ssh1.pid" <== That one bit me
... in the ass a few times ;-)
...
And another started with "sshd -f sshd2_config"
"ListenAddress dummy0"
"PermitRootLogin yes"
"PidFile /var/run/ssh2.pid"

dummy0 is the hostname of the ip address on a loopbackadapter
(Debian/GNU/Linux /etc/modules, dummy; HPUX/Sun ifconfig lo0:1;
winx msloopback adapter) which is not visible on the outside
(disabled in routing) Only one extra address/subnet (/30 ?) is
needed for an unlimited number of hosts since it can be
identical on all because it is not routed.

Access can be gained in two ways: generating two keys that you both
load in your ssh-agent or by adding your identity.pub to the
authorized_keys2 of the second remote user.

Proof of concept:

user1@host1:/home/user1 >ssh -X host2
Linux host2 2.4.18-686 #1 Sun Apr 14 11:32:47 EST 2002 i686 unknown
Last login: Fri Jun 6 08:44:00 2003 from host1
user1@host2:~$ ssh -X root@dummy0
Linux host2 2.4.18-686 #1 Sun Apr 14 11:32:47 EST 2002 i686 unknown
Last login: Fri Jun 6 11:25:25 2003 from dummy0
root@host2:/root >echo $DISPLAY
localhost:11.0
root@host2:/root >

and

user1@host1:/home/user1 >ssh -X -f host2 'ssh -X -f root@dummy0
/usr/bin/X11/xterm'

works too.

Feature request

This kludge (2 daemons) would not have to be used if the posibility existed
of
using a combined "AllowUsers" and "ListenAddress" parameter (ACL's ?)
for instance:
ACL
[allow|deny],[dns|host|ipaddress|range[:port]],[user|group],[dns|host|ipaddr
ess|range[:port]]
ACL allow, hostname, root, dummy0
ACL deny, *, !root, dummy0
ACL allow, *, !root, *
ACL deny, *, *, * (sorry, Cisco heritage showing ;-) )

Sincerely,

Jan.

• Previous message: sparhawk_at_beyond.nu: "Tape backup through ssh"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Linux hacked ... Subject: Linux hacked ... After you boot up into the OS running from CD, ... >> First let me say I'm a security novice. ... >> been unsuccessful in getting root back. ... (Security-Basics) Re: Linux hacked ... is to boot your system with a separate ... You can't trust the logs, ... >> First let me say I'm a security novice. ... >> been unsuccessful in getting root back. ... (Security-Basics) RE: Linux hacked ... Also, what exactly did the history file show, can you paste it into a mail ... > First let me say I'm a security novice. ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ... (Security-Basics) Re: [security bulletin] HPSBTU02211 SSRT071326 rev.1 - HP Tru64 UNIX Running the dop command, Lo ... HP Software Security Response Team ... UNIX Operating System running the dop command. ... privileges of the root user. ... echo "HP Security bulletin code identification: ... (Bugtraq) [UNIX] Security Vulnerabilities in OSF1/Tru64 3.x ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... locally exploitable buffer overflow which allows an attacker to gain root ... The executable is installed setuid root ... September 18, 2002 - Public Disclosure ... (Securiteam)