From: Stas <stas.grumbler@gmail.com>
To: ALT Linux Sisyphus discussions <sisyphus@lists.altlinux.org>
Subject: [sisyphus] В установочном скрипте пакета freenx-server захардкожен ключ SSH
Date: Sun, 27 Mar 2016 22:14:18 +0500
Message-ID: <56F814EA.5090008@gmail.com> (raw)
Приветствую!
Устанавливаю сервер freenx и обнаружил весёлую "дыру".
После установки мануал рекомендует выполнить /etc/init.d/freenx-server
install.
В результате выполняется скрипт /usr/bin/nxsetup с параметром --install.
Внутри /usr/bin/nxsetup в функции parse_cmdline(), начиная со строки 126
есть код:
============================================================
if [ "$INSTALL" = "yes" -a "$AUTOMATIC" = "no" -a
"$SETUP_NOMACHINE_KEY" = "no" ]
then
echo "------> It is recommended that you use the
NoMachine key for"
echo " easier setup. If you answer \"y\", FreeNX
creates a custom"
echo " KeyPair and expects you to setup your
clients manually. "
echo " \"N\" is default and uses the NoMachine
key for installation."
echo ""
echo -n " Do you want to use your own custom KeyPair?
[y/N] "
read -n 1 CHOICE
[ "$CHOICE" = "y" ] || SETUP_NOMACHINE_KEY="yes"
fi
============================================================
То есть скрипт рекомендует использовать некий "NoMachine key".
Смотрим, что это за ключ такой и видим его в функции install_nx()
(цитирую, начиная со строки 196):
============================================================
mkdir -p $NX_HOME_DIR/.ssh
chmod 700 $NX_HOME_DIR/ $NX_HOME_DIR/.ssh
if [ ! -f $NX_HOME_DIR/.ssh/$SSH_AUTHORIZED_KEYS -o
"$SETUP_NOMACHINE_KEY" = "yes" ]
then
SETUP_NX_KEY="yes"
if [ "$SETUP_NOMACHINE_KEY" = "yes" ]
then
cat << EOF >$NX_HOME_DIR/.ssh/$SSH_AUTHORIZED_KEYS
no-port-forwarding,no-agent-forwarding,command="$PATH_BIN/nxserver"
ssh-dss
AAAAB3NzaC1kc3MAAACBAJe/0DNBePG9dYLWq7cJ0SqyRf1iiZN/IbzrmBvgPTZnBa5FT/0Lcj39sRYt1paAlhchwUmwwIiSZaON5JnJOZ6jKkjWIuJ9MdTGfdvtY1aLwDMpxUVoGwEaKWOyin02IPWYSkDQb6cceuG9NfPulS9iuytdx0zIzqvGqfvudtufAAAAFQCwosRXR2QA8OSgFWSO6+kGrRJKiwAAAIEAjgvVNAYWSrnFD+cghyJbyx60AAjKtxZ0r/Pn9k94Qt2rvQoMnGgt/zU0v/y4hzg+g3JNEmO1PdHh/wDPVOxlZ6Hb5F4IQnENaAZ9uTZiFGqhBO1c8Wwjiq/MFZy3jZaidarLJvVs8EeT4mZcWxwm7nIVD4lRU2wQ2lj4aTPcepMAAACANlgcCuA4wrC+3Cic9CFkqiwO/Rn1vk8dvGuEQqFJ6f6LVfPfRTfaQU7TGVLk2CzY4dasrwxJ1f6FsT8DHTNGnxELPKRuLstGrFY/PR7KeafeFZDf+fJ3mbX5nxrld3wi5titTnX+8s4IKv29HJguPvOK/SI7cjzA+SqNfD7qEo8=
root@nettuno
EOF
chmod 600 $NX_HOME_DIR/.ssh/$SSH_AUTHORIZED_KEYS
cat << EOF >$NX_HOME_DIR/.ssh/client.id_dsa.key
-----BEGIN DSA PRIVATE KEY-----
MIIBuwIBAAKBgQCXv9AzQXjxvXWC1qu3CdEqskX9YomTfyG865gb4D02ZwWuRU/9
C3I9/bEWLdaWgJYXIcFJsMCIkmWjjeSZyTmeoypI1iLifTHUxn3b7WNWi8AzKcVF
aBsBGiljsop9NiD1mEpA0G+nHHrhvTXz7pUvYrsrXcdMyM6rxqn77nbbnwIVALCi
xFdHZADw5KAVZI7r6QatEkqLAoGBAI4L1TQGFkq5xQ/nIIciW8setAAIyrcWdK/z
5/ZPeELdq70KDJxoLf81NL/8uIc4PoNyTRJjtT3R4f8Az1TsZWeh2+ReCEJxDWgG
fbk2YhRqoQTtXPFsI4qvzBWct42WonWqyyb1bPBHk+JmXFscJu5yFQ+JUVNsENpY
+Gkz3HqTAoGANlgcCuA4wrC+3Cic9CFkqiwO/Rn1vk8dvGuEQqFJ6f6LVfPfRTfa
QU7TGVLk2CzY4dasrwxJ1f6FsT8DHTNGnxELPKRuLstGrFY/PR7KeafeFZDf+fJ3
mbX5nxrld3wi5titTnX+8s4IKv29HJguPvOK/SI7cjzA+SqNfD7qEo8CFDIm1xRf
8xAPsSKs6yZ6j1FNklfu
-----END DSA PRIVATE KEY-----
EOF
chmod 600 $NX_HOME_DIR/.ssh/client.id_dsa.key
else
# generate a new key, backup the old and copy
it to $SSH_AUTHORIZED_KEYS
$PATH_BIN/nxkeygen
fi
fi
============================================================
IMHO это серьёзный баг и нужно исключить использование такого ключа.
--
Станислав Дёгтев
Служба "Ваш админ"
Мои контакты:
- jabber: grumbler@grumbler.org
- email: stas.grumbler@gmail.com и stas@vashadmin.su
- телефоны в Е-бурге +79045430461 и +79222112259
next reply other threads:[~2016-03-27 17:14 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-27 17:14 Stas [this message]
2016-03-27 19:38 ` Michael Shigorin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56F814EA.5090008@gmail.com \
--to=stas.grumbler@gmail.com \
--cc=sisyphus@lists.altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux Sisyphus discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/sisyphus/0 sisyphus/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 sisyphus sisyphus/ http://lore.altlinux.org/sisyphus \
sisyphus@altlinux.ru sisyphus@altlinux.org sisyphus@lists.altlinux.org sisyphus@lists.altlinux.ru sisyphus@lists.altlinux.com sisyphus@linuxteam.iplabs.ru sisyphus@list.linux-os.ru
public-inbox-index sisyphus
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.sisyphus
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git