[distcc] Restrict Distcc over SSH (command parameter)
Martin Pool
mbp at sourcefrog.net
Mon Dec 1 12:44:26 MST 2014
Just to be clear, that's not going to stop a determined attacker running
arbitrary commands via distccd. It will stop people accidentally logging in.
I think you wouldn't need a specific sshd in the chroot - perhaps a little
wrapper under the name 'distccd' that moves into that chroot would be
enough, or perhaps we could do something through the users' shell. It would
be nice to document/script this.
On Sun Nov 30 2014 at 1:03:12 PM Sebastian Wieseler <
sebastian at nanofortnight.org> wrote:
> Hey Martin!
>
> On Mon, Nov 17, 2014 at 06:51:47PM +0000, Martin Pool wrote:
> > I don't recall the exact command, but it's probably going to be `distccd
> > --inet ...something...`. You might be able to see it in the distcc
> verbose
> > log.
>
> This really helped. :-)
> my .ssh/authorized_keys file looks now like:
> from="xxx.xxx.xxx.xxx",no-agent-forwarding,no-port-
> forwarding,no-X11-forwarding,no-pty,command="distccd --inetd" ssh-rsa …
>
> This works totally fine for me.
>
> The problem with a chroot would be, that you would need then a sshd in
> that chroot as well?
> To just encrypt the traffic and have some kind of authentication, a normal
> sshd should do the job as well.
> And since the distcc remote user can only execute "distccd --inetd" it
> should be ok :)
>
> Thank you very much again!
> Regards, Sebastian
>
>
> --
> ,= ,-_-. =. /"\
> ((_/)o o(\_)) \ / ASCII Ribbon Campaign
> `-'(. .)`-' && X against HTML e-mail
> \_/ / \
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/distcc/attachments/20141201/2c700595/attachment.html>
More information about the distcc
mailing list