September 19, 2001

OpenSSH: sftp & bypassing keypair auth restrictions

Author: JT Smith

From "If you 1) are using keypairs and ~/.ssh/authorized_keys2
to enable remote execution of commands via OpenSSH's sshd
and 2) have sshd configured to provide sftp service via
the sftp-server subsystem, then clients who have access
with "restricted" keypairs can gain additional access on
the server side. In most cases, sftp can be used to evade
the authorized_keys2 command= and other restrictions
(i.e., obtaining the regular shell access that the server
was configured to deny them). It appears that both
OpenSSH 2.9 (the official OpenBSD code) and OpenSSH 2.9p2
(the official "portable" code for other systems) by
default *do* have the sftp subsystem enabled, and their
users would be vulnerable if they set up restricted


  • Linux
Click Here!