Dropbear calling my own command-line parser than /bin/sh.

Matt Johnston matt at ucc.asn.au
Wed Jul 19 10:47:19 WST 2006


On Tue, Jul 18, 2006 at 02:00:49PM +0800, Matt Johnston wrote:
> On Mon, Jul 17, 2006 at 09:53:52PM -0700, Prasad wrote:
> > So now i want to totally skip the regular username and
> > password in the SSH and directly call my commandline interpreter
> > (which has a password autentication by itself). How do i achieve that?
> > Is there any security flaws in this kinda design.

> I think it should be secure, as long as you make sure that
> you're ignoring requests for different commands from the
> user (which will get passed as arguments to your
> interpreter), and your interpreter itself is secure.

Another thought, you should probably disable any forwarding.
TCP forwarding certainly could present a hazard (tunnel
through the device to get around firewalls), and agent or
X11 forwarding might have unforseen issues too. 

You might also be vulnerable to denial-of-service type
issues, as someone could open numerous connections, each
spawning an interpreter. One solution to that is to limit
the total number of connections - see the thread
http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2006q2/000388.html
or your inetd implementation if you're using that.

Matt


More information about the Dropbear mailing list