[erlang-questions] 'ssh' security issue

OvermindDL1 <>
Sat Dec 7 01:57:21 CET 2013


I am attempting to just create an SSH shell to connect to a system by
users so they can do commands without the web interface, and as such I
certainly do not want things like port forwarding or being able to run
arbitrary erlang code, however I do not seem to be able to disable
running arbitrary erlang code.  An example of the ssh_sample_cli
included with erlang:
$ erl
Erlang R16B02 (erts-5.10.3) [source] [64-bit] [smp:8:8]
[async-threads:10] [hipe] [kernel-poll:false]

Eshell V5.10.3  (abort with ^G)
1> c(ssh_sample_cli).
ssh_sample_cli.erl:146: Warning: this expression will fail with a
'badarith' exception
2> B=ssh_sample_cli:listen(8323, [{subsystems, []}]).

And from another shell/computer:
$ ssh -p 8321 to.the.host
's password:
Enter command
CLI> help
CLI Sample
crash                  crash the cli
exit                   exit application
factors    <int>       prime factors of <int>
gcd        <int> <int> greatest common divisor
help                   help text
host                   print host addr
lcm        <int> <int> least common multiplier
prime      <int>       check for primality
primes     <int>       print all primes up to <int>
rho        <int>       prime factors using rho's alg.
self                   print my pid
user                   print name of user

---> ok
CLI> exit
---> done
Connection to to.the.host closed.

So far so good (the main program where I have this implemented has a
well running shell of its own), but lets try a couple other things:
$ sftp -P 8321 to.the.host
's password:
subsystem request failed on channel 0
Connection closed

Also good, no file transfers can be done since the option subsystem is
set to [], but notice:
$ ssh -p 8323 to.the.host 'lists:reverse("!?ti pots I od woh dna ereh
gnineppah si tahw woN").'
's password:
"Now what is happening here and how do I stop it?!"

So... I can still run arbitrary erlang commands, how do I stop this?
Unable to find an option to pass in or anything through a quick code
perusal to no avail.  Help?

More information about the erlang-questions mailing list