Hacker News new | ask | show | jobs
by endiangroup 366 days ago
AD: Huh! I just wrote a utility cmd [1] this weekend to deal with restricting ssh keys to executing only commands that match a rule set via `ForceCommand` in `sshd_config` or `Command=""` in `authorized_keys`. I'm curious to see how susceptible it is to the aforementioned issues, it does delegate to `<shell> -c '<cmd>'` under the hood [2], but there are checks to ensure only a single command option argument `--` is passed (to mitigate metacharacter expansions) [3].

Note this tool is only intended to be another layer in security.

[1] https://github.com/endiangroup/cmdjail [2] https://github.com/endiangroup/cmdjail/blob/main/main.go#L30... [3] https://github.com/endiangroup/cmdjail/blob/main/config.go#L...
2 comments
pabs3 365 days ago
Note that OpenSSH always runs commands in a shell, and so far they refused to add support for exec.

https://bugzilla.mindrot.org/show_bug.cgi?id=2283

link
blueflow 366 days ago
The docs say that exec.Command works with execv directly, so there should be no issue? You dont seem to call out to /bin/sh at all.
link