nhed
commented
4 years ago and yeah, I was assuming I would need to deal with ssh launched as root - but figured I would deal with those details once I saw how ssh is launched
Open nhed opened 4 years ago
nhed
commented
4 years ago and yeah, I was assuming I would need to deal with ssh launched as root - but figured I would deal with those details once I saw how ssh is launched
danfruehauf
commented
4 years ago Interesting that you ask about it now. This behaviour can lead to privilege escalation quite easily. The reason for that is that the plugin runs as root, yet your config can be modified by you and you can specify arbitrary commands to run in it. This is... undesirable. I'm still thinking of a good solution for that, but at the moment, I would recommend to not allow that.
What do you think?
nhed
commented
4 years ago it's been a while since I actually asked, but if your main process runs as root you can run the ssh process itself as the user. in which case the risk exist only if the user specified that the connection is to be shared with other users (which you should warn them not to do, maybe even prevent if you can... I'm not that familiar with the innards of network manager, but I an a heavy ssh user and just won't use anything that can't utilize my extensive configs)
On Feb 16, 2020 13:09, Dan Fruehauf notifications@github.com wrote:
Interesting that you ask about it now. This behaviour can lead to privilege escalation quite easily. The reason for that is that the plugin runs as root, yet your config can be modified by you and you can specify arbitrary commands to run in it. This is... undesirable. I'm still thinking of a good solution for that, but at the moment, I would recommend to not allow that.
What do you think?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/danfruehauf/NetworkManager-ssh/issues/97?email_source=notifications&email_token=AAD5NX4SUTKDQKNRS2BS7ZDRDF6OTA5CNFSM4JB3ZYF2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEL4N6OA#issuecomment-586735416, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAD5NXYVBKRZRFGNI2V6QTLRDF6OTANCNFSM4JB3ZYFQ.
nhed
commented
4 years ago it's been a while since I actually asked, but if your main process runs as root you can run the ssh process itself as the user. in which case the risk exist only if the user specified that the connection is to be shared with other users (which you should warn them not to do, maybe even prevent if you can... I'm not that familiar with the innards of network manager, but I an a heavy ssh user and just won't use anything that can't utilize my extensive configs)
if this is coming out multiple times blame the github android app
danfruehauf
commented
4 years ago in which case the risk exist only if the user specified that the connection is to be shared with other users (which you should warn them not to do, maybe even prevent if you can...
That would be quite difficult to do. I don't think nm will really allow me to intervene with things in that level, as a plugin maintainer.
but if your main process runs as root you can run the ssh process itself as the user.
That is a problem, as you need root privleges (or at least CAP_NET_ADMIN) to open new network devices (tun/tap), hence, it needs to run privileged. I tried to play with capabilities and perhaps just leave CAP_NET_ADMIN and run as a regular user (reduce privileges), but that didn't work out very well, so I had to remove the feature of "free hand" options altogether...
ChristofKaufmann
commented
3 years ago So this is also an issue for me. I try to connect to a remote machine via a jump host, like my-local-machine → jump-host → remote, and cannot see, how I can set it up.
When using ssh remote-machine as root user the ssh command reads /root/.ssh/config, searches for the Host remote-machine and finds the ProxyJump jump-host option. However, the NM SSH VPN plugin seems only to look for Host * and not for remote-machine. This is also the case for files in /etc/ssh/ssh_conif.d/. Is this a bug?
An alternative would be to use ssh machine -J jump-host, but this cannot be specified, since extra ssh options have been removed in #98.
danfruehauf
commented
3 years ago I'd classify it as a bug, yes. Unfortunately I've been hammered with life and work recently, and have very little time to get to nm-ssh :cry:
Fedora 30 Trying to utilize a working entry in my ssh config and getting
final secrets request failed to provide sufficient secretsI set to use ssh agent but the underlyingsshprocesses is never executedI was going to debug assuming ssh is launched then fails - but straced from a wrapper to /usr/libexec/nm-ssh-service and the only
exe*calls wereif you dont actually execute ssh, how can you know that there are secrets missing?