[X2Go-Dev] Bug#685: user x2gobroker can evoke any command on X2Go Servers
Mike Gabriel
mike.gabriel at das-netzwerkteam.de
Tue Dec 2 17:12:28 CET 2014
Package: python-x2gobroker
Severity: important
Version: 0.0.3.0-preview
Currently, x2gobroker-pubkeyauthorizer received SSH public keys from
the X2Go Session Broker. Those key are stored as-is into
~x2gobroker/.ssh/authorized_keys.
However, we need to add a force_command option into those pubkey
lines, so that only x2gobroker-agent can be called via X2Go Session
Broker.
At the moment user x2gobroker at x2gobroker-machine can issue arbitrary
commands on the X2Go Server (which is not really painful, but should
be avoided in general).
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20141202/ed30f283/attachment.pgp>
More information about the x2go-dev
mailing list