[scponly] changing passwords remotely over scponly .. what am I doing wrong ?

[Kaleb Pederson]

On 14:52 Tue 07 Mar     , Ensel Sharon wrote:
> 
> 
> So I am all set for deps.

If you would like to confirm what is going on, you can strace the ssh
process on the server side.  You will have to connect using a password,
then determine the tty and process on the server, and strace -o
<outfile> -ff -p <pid>.  It is failing somewhere, the question is where.

To be a little bit more detailed (this is also elsewhere in the list
archives), once the ssh server asks the client for a password, you have
a until the ssh-server times out the client process.  So:

1) ssh/sftp/scp to host, it prompts for password
2) on server, find out what the pid is (there will probably be two, one
for privilege separation and one not)
3) on server, start strace
4) on client, enter password, command executes and session terminates.
5) look through strace logs to find "exec.*passwd"

> Can you please point me to your patch ?  I know I am taking up a fair
> amount of your time, and I appreciate your help - could you comment, at
> least briefly, on the (security) ramifications of using your patch ?  Can
> anyone else ?

I don't have it accessible, but you might be able to find it in the
mailing list archives.  It should still be there somewhere.  I most
likely won't be able to work on it today.

> 
> Basically I plan on using your patch immediately, becuase I need this
> functionality, but I don't want to go shooting myself in the foot with it
> either.  Do _you_ use it in production ?

Yes, I do use it in production.  Basically, the patch drops privileges,
doesn't chroot, and then executes the passwd program as the user.  I
think there is minimal risk involved.  I believe the absolute worst case
would be that somebody got shell access post-authentication.

I haven't seen any strage behaviors or problems in the last n months it
has been in production (I'm not sure how long anymore).

Hope that helps.

--Kaleb