[erlang-questions] 'ssh' security issue

Ingela Andin ingela.andin@REDACTED
Tue Dec 10 11:08:55 CET 2013 

Hi!

The CLI example in the SSH application must be seen as a hack. We intend to
clean it up and
extend the SSH documentation, when it gets prioritized I can not say. Well
anyway your CLI
implementation must take care of SSH exec request as well.  You can also
look at the ssh_cli.erl  module.
If I remember correctly there was a bug, before ssh-2.1.7, with regards to
the exec request  so that  it was not forwarded to CLI process but rather
always interpreted in the erlang shell environment.

Regards Ingela Erlang/OTP team - Ericsson AB


2013/12/7 OvermindDL1 <overminddl1@REDACTED>

> Greetings,
>
> I am attempting to just create an SSH shell to connect to a system by
> users so they can do commands without the web interface, and as such I
> certainly do not want things like port forwarding or being able to run
> arbitrary erlang code, however I do not seem to be able to disable
> running arbitrary erlang code.  An example of the ssh_sample_cli
> included with erlang:
> """
> $ erl
> Erlang R16B02 (erts-5.10.3) [source] [64-bit] [smp:8:8]
> [async-threads:10] [hipe] [kernel-poll:false]
>
> Eshell V5.10.3  (abort with ^G)
> 1> c(ssh_sample_cli).
> ssh_sample_cli.erl:146: Warning: this expression will fail with a
> 'badarith' exception
> {ok,ssh_sample_cli}
> 2> B=ssh_sample_cli:listen(8323, [{subsystems, []}]).
> {ok,<0.67.0>}
> """
>
> And from another shell/computer:
> """
> $ ssh -p 8321 to.the.host
> myusername@REDACTED's password:
> Enter command
> CLI> help
> CLI Sample
> crash                  crash the cli
> exit                   exit application
> factors    <int>       prime factors of <int>
> gcd        <int> <int> greatest common divisor
> help                   help text
> host                   print host addr
> lcm        <int> <int> least common multiplier
> prime      <int>       check for primality
> primes     <int>       print all primes up to <int>
> rho        <int>       prime factors using rho's alg.
> self                   print my pid
> user                   print name of user
>
> ---> ok
> CLI> exit
> ---> done
> Connection to to.the.host closed.
> """
>
> So far so good (the main program where I have this implemented has a
> well running shell of its own), but lets try a couple other things:
> """
> $ sftp -P 8321 to.the.host
> myusername@REDACTED's password:
> subsystem request failed on channel 0
> Connection closed
> """
>
> Also good, no file transfers can be done since the option subsystem is
> set to [], but notice:
> """
> $ ssh -p 8323 to.the.host 'lists:reverse("!?ti pots I od woh dna ereh
> gnineppah si tahw woN").'
> myusername@REDACTED's password:
> "Now what is happening here and how do I stop it?!"
> """
>
> So... I can still run arbitrary erlang commands, how do I stop this?
> Unable to find an option to pass in or anything through a quick code
> perusal to no avail.  Help?
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20131210/a3b20f33/attachment.htm>

More information about the erlang-questions mailing list