From: Stas <stas.grumbler@gmail.com> To: ALT Linux Sisyphus discussions <sisyphus@lists.altlinux.org> Subject: [sisyphus] В установочном скрипте пакета freenx-server захардкожен ключ SSH Date: Sun, 27 Mar 2016 22:14:18 +0500 Message-ID: <56F814EA.5090008@gmail.com> (raw) Приветствую! Устанавливаю сервер freenx и обнаружил весёлую "дыру". После установки мануал рекомендует выполнить /etc/init.d/freenx-server install. В результате выполняется скрипт /usr/bin/nxsetup с параметром --install. Внутри /usr/bin/nxsetup в функции parse_cmdline(), начиная со строки 126 есть код: ============================================================ if [ "$INSTALL" = "yes" -a "$AUTOMATIC" = "no" -a "$SETUP_NOMACHINE_KEY" = "no" ] then echo "------> It is recommended that you use the NoMachine key for" echo " easier setup. If you answer \"y\", FreeNX creates a custom" echo " KeyPair and expects you to setup your clients manually. " echo " \"N\" is default and uses the NoMachine key for installation." echo "" echo -n " Do you want to use your own custom KeyPair? [y/N] " read -n 1 CHOICE [ "$CHOICE" = "y" ] || SETUP_NOMACHINE_KEY="yes" fi ============================================================ То есть скрипт рекомендует использовать некий "NoMachine key". Смотрим, что это за ключ такой и видим его в функции install_nx() (цитирую, начиная со строки 196): ============================================================ mkdir -p $NX_HOME_DIR/.ssh chmod 700 $NX_HOME_DIR/ $NX_HOME_DIR/.ssh if [ ! -f $NX_HOME_DIR/.ssh/$SSH_AUTHORIZED_KEYS -o "$SETUP_NOMACHINE_KEY" = "yes" ] then SETUP_NX_KEY="yes" if [ "$SETUP_NOMACHINE_KEY" = "yes" ] then cat << EOF >$NX_HOME_DIR/.ssh/$SSH_AUTHORIZED_KEYS no-port-forwarding,no-agent-forwarding,command="$PATH_BIN/nxserver" ssh-dss AAAAB3NzaC1kc3MAAACBAJe/0DNBePG9dYLWq7cJ0SqyRf1iiZN/IbzrmBvgPTZnBa5FT/0Lcj39sRYt1paAlhchwUmwwIiSZaON5JnJOZ6jKkjWIuJ9MdTGfdvtY1aLwDMpxUVoGwEaKWOyin02IPWYSkDQb6cceuG9NfPulS9iuytdx0zIzqvGqfvudtufAAAAFQCwosRXR2QA8OSgFWSO6+kGrRJKiwAAAIEAjgvVNAYWSrnFD+cghyJbyx60AAjKtxZ0r/Pn9k94Qt2rvQoMnGgt/zU0v/y4hzg+g3JNEmO1PdHh/wDPVOxlZ6Hb5F4IQnENaAZ9uTZiFGqhBO1c8Wwjiq/MFZy3jZaidarLJvVs8EeT4mZcWxwm7nIVD4lRU2wQ2lj4aTPcepMAAACANlgcCuA4wrC+3Cic9CFkqiwO/Rn1vk8dvGuEQqFJ6f6LVfPfRTfaQU7TGVLk2CzY4dasrwxJ1f6FsT8DHTNGnxELPKRuLstGrFY/PR7KeafeFZDf+fJ3mbX5nxrld3wi5titTnX+8s4IKv29HJguPvOK/SI7cjzA+SqNfD7qEo8= root@nettuno EOF chmod 600 $NX_HOME_DIR/.ssh/$SSH_AUTHORIZED_KEYS cat << EOF >$NX_HOME_DIR/.ssh/client.id_dsa.key -----BEGIN DSA PRIVATE KEY----- MIIBuwIBAAKBgQCXv9AzQXjxvXWC1qu3CdEqskX9YomTfyG865gb4D02ZwWuRU/9 C3I9/bEWLdaWgJYXIcFJsMCIkmWjjeSZyTmeoypI1iLifTHUxn3b7WNWi8AzKcVF aBsBGiljsop9NiD1mEpA0G+nHHrhvTXz7pUvYrsrXcdMyM6rxqn77nbbnwIVALCi xFdHZADw5KAVZI7r6QatEkqLAoGBAI4L1TQGFkq5xQ/nIIciW8setAAIyrcWdK/z 5/ZPeELdq70KDJxoLf81NL/8uIc4PoNyTRJjtT3R4f8Az1TsZWeh2+ReCEJxDWgG fbk2YhRqoQTtXPFsI4qvzBWct42WonWqyyb1bPBHk+JmXFscJu5yFQ+JUVNsENpY +Gkz3HqTAoGANlgcCuA4wrC+3Cic9CFkqiwO/Rn1vk8dvGuEQqFJ6f6LVfPfRTfa QU7TGVLk2CzY4dasrwxJ1f6FsT8DHTNGnxELPKRuLstGrFY/PR7KeafeFZDf+fJ3 mbX5nxrld3wi5titTnX+8s4IKv29HJguPvOK/SI7cjzA+SqNfD7qEo8CFDIm1xRf 8xAPsSKs6yZ6j1FNklfu -----END DSA PRIVATE KEY----- EOF chmod 600 $NX_HOME_DIR/.ssh/client.id_dsa.key else # generate a new key, backup the old and copy it to $SSH_AUTHORIZED_KEYS $PATH_BIN/nxkeygen fi fi ============================================================ IMHO это серьёзный баг и нужно исключить использование такого ключа. -- Станислав Дёгтев Служба "Ваш админ" Мои контакты: - jabber: grumbler@grumbler.org - email: stas.grumbler@gmail.com и stas@vashadmin.su - телефоны в Е-бурге +79045430461 и +79222112259
next reply other threads:[~2016-03-27 17:14 UTC|newest] Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-03-27 17:14 Stas [this message] 2016-03-27 19:38 ` Michael Shigorin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=56F814EA.5090008@gmail.com \ --to=stas.grumbler@gmail.com \ --cc=sisyphus@lists.altlinux.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
ALT Linux Sisyphus discussions This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/sisyphus/0 sisyphus/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 sisyphus sisyphus/ http://lore.altlinux.org/sisyphus \ sisyphus@altlinux.ru sisyphus@altlinux.org sisyphus@lists.altlinux.org sisyphus@lists.altlinux.ru sisyphus@lists.altlinux.com sisyphus@linuxteam.iplabs.ru sisyphus@list.linux-os.ru public-inbox-index sisyphus Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.sisyphus AGPL code for this site: git clone https://public-inbox.org/public-inbox.git