Re: ~/.hosts patch

From: Garance A Drosihn <drosih_at_rpi.edu>
Date: Wed, 21 Jun 2006 20:09:53 -0400
At 10:30 PM -0700 6/20/06, Brooks Davis wrote:
>
>It's useful for cases where you want to add shortcuts
>to hosts as a user or do interesting ssh port forwarding
>tricks in some weird cases where you must connect to
>localhost:port as remotehost:port due to client/server
>protocol bugs.

As far as interesting tricks for ssh, you should already
be able to do that with ~/.ssh/config.  Note ~/.hosts
would only redirect the hostnames, and not ports.  I use
~/.ssh/config so that a plain '_at_host' request actually
goes to '_at_host:alternate-port', so-to-speak.

>This patch appears to only support ~/.hosts for non-suid
>binaries which is the only real security issue.  Any admin
>relying on host to IP mapping for security for ordinary
>users is an idiot so that case isn't worth worrying about.
>Doing this as a separate nss module probably makes sense,
>but I personally like the feature.

I have a feeling ~/.hosts could open a few security issues,
but obviously I am already using ~/.ssh/config to do about
the same thing on a smaller scale.  I'm not sure I could
say what the difference is.  I also wonder if this would
trigger some debugging-issues, when some user has long since
forgotten some alias they put in ~/.hosts, and then some new
service does not work, and they file a trouble-ticket with
whoever is providing that service.  I have certainly seen
that happen with LMHOSTS files under Windows, and my job
responsibilities don't even include doing support for
Windows.

Let's say I write some program which I let other users run.
It's just a plain executable.  It isn't setuid or setgid,
because it doesn't reference any files on the local system.
That program could reference some external hostname, and
feel that is reasonably safe to do (*).  But with this
feature any user could redirect that host.  I have not
looked at the patch in detail, but it seems to me that it
would be prudent if ~/.hosts was NOT searched for any
fully-qualified hostnames (ones with a trailing period).

I also assume this won't work well for incoming
connections (such as incoming ssh connections), since the
hostname is checked before sshd figures out where '~' is.
That isn't a problem, of course, just as long as people
don't expect it to work for that.

I don't have a strong objection to the feature, but I do
think we should consider it carefully, and make sure we
consider some of the unusual cases.  I'm just trying to
come up with a few examples of those oddball cases here.

(* - reasonable, because the person providing the program
is also the sysadmin, and thus is *already* taking other
measures to protect DNS from poisoning, etc).

-- 
Garance Alistair Drosehn            =   gad_at_gilead.netel.rpi.edu
Senior Systems Programmer           or  gad_at_freebsd.org
Rensselaer Polytechnic Institute    or  drosih_at_rpi.edu
Received on Wed Jun 21 2006 - 22:09:58 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:57 UTC