Bug 440268 (CVE-2008-1657) - CVE-2008-1657 openssh: commands in ~/.ssh/rc override ForceCommand directive
Summary: CVE-2008-1657 openssh: commands in ~/.ssh/rc override ForceCommand directive
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2008-1657
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 280461 440375 440376
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-04-02 15:34 UTC by Tomas Hoger
Modified: 2021-11-12 19:49 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2010-12-23 16:54:06 UTC
Embargoed:

Attachments (Terms of Use)

Description Tomas Hoger 2008-04-02 15:34:40 UTC 
OpenSSH version 4.9 fixed an issue that allowed local users with write access to
their ~/.ssh/rc file to override administratively set ForceCommand, possibly
bypassing intended security restrictions.

References:
http://marc.info/?l=openssh-unix-dev&m=120692745026265&w=2
http://secunia.com/advisories/29602/
http://openbsd.org/errata43.html#001_openssh
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/001_openssh.patch
Comment 1 Tomas Mraz 2008-04-02 16:12:20 UTC 
Affects only F7, F8 & Rawhide.
Comment 2 Tomas Hoger 2008-04-03 07:11:11 UTC 
Tomas is obviously right.  ForceCommand directive was introduced in OpenSSH
version 4.4 (http://openssh.org/txt/release-4.4):

Changes since OpenSSH 4.3:
============================

[...]

 * Added a "ForceCommand" directive to sshd_config(5). Similar to the
   command="..." option accepted in ~/.ssh/authorized_keys, this forces
   the execution of the specified command regardless of what the user
   requested. This is very useful in conjunction with the new "Match"
   option.

Therefore, this issue did not affect versions of openssh packages as shipped
with Red Hat Enterprise Linux 2.1, 3, 4, and 5.
Note You need to log in before you can comment on or make changes to this bug.