Discussion:
[distcc] Restrict Distcc over SSH (command parameter)
Sebastian Wieseler
2014-11-09 15:17:17 UTC
Permalink
Hello Distcc List,

I followed the guide http://wiki.gentoo.org/wiki/Distcc to get Distcc to work with SSH.
That should work as followed:
/usr/bin/distcc-config --set-hosts "@test1"

I just wondering how to limit the portage user to get a real SSH shell on the "compiling box".
There should be a way with the .authorized_keys and the command="…" parameter for the SSH key.

What command will be exactly executed on the remote host within the distcc call?
To just specify command="/usr/bin/distcc" does not work for example.

Is there a way to make this even more secure? I couldn't find any information on this on the web.
Thanks for helping.

Best Regards,
Sebastian 'kickino'
--
,= ,-_-. =. /"\
((_/)o o(\_)) \ / ASCII Ribbon Campaign
`-'(. .)`-' && X against HTML e-mail
\_/ / \


__
distcc mailing list http://distcc.samba.org/
To unsubscribe or change options:
https://lists.samba.org/mail
Martin Pool
2014-11-17 18:51:47 UTC
Permalink
Hi, Sebastian,

I don't recall the exact command, but it's probably going to be `distccd
--inet ...something...`. You might be able to see it in the distcc verbose
log.

Being able to restrict the command would be good.

However the main problem with this approach is that distccd in turn
executes a client-supplied command, and it at the moment doesn't have a way
to limit that.

Two complementary things we could do:
- run distcc within a chroot/container that contains only the compiler -
ideally, provide a reusable way for other people to set this up - at least
documentation, maybe a script
- give distccd restrictions on what commands it can run


On Sun Nov 09 2014 at 7:29:12 AM Sebastian Wieseler <
Post by Sebastian Wieseler
Hello Distcc List,
I followed the guide http://wiki.gentoo.org/wiki/Distcc to get Distcc to work with SSH.
I just wondering how to limit the portage user to get a real SSH shell on
the "compiling box".
There should be a way with the .authorized_keys and the command="
"
parameter for the SSH key.
What command will be exactly executed on the remote host within the distcc call?
To just specify command="/usr/bin/distcc" does not work for example.
Is there a way to make this even more secure? I couldn't find any
information on this on the web.
Thanks for helping.
Best Regards,
Sebastian 'kickino'
--
,= ,-_-. =. /"\
((_/)o o(\_)) \ / ASCII Ribbon Campaign
`-'(. .)`-' && X against HTML e-mail
\_/ / \
__
distcc mailing list http://distcc.samba.org/
https://lists.samba.org/mailman/listinfo/distcc
Fergus Henderson
2014-11-18 09:15:46 UTC
Permalink
Post by Martin Pool
Hi, Sebastian,
I don't recall the exact command, but it's probably going to be `distccd
--inet ...something...`. You might be able to see it in the distcc verbose
log.
Post by Martin Pool
Being able to restrict the command would be good.
However the main problem with this approach is that distccd in turn
executes a client-supplied command, and it at the moment doesn't have a way
to limit that.

Actually we do have a way to limit that, via commands.allow.sh which is
executed by /etc/init.d/distccd and which sets environment variables used
by distccd.

See the following extract from the distccd man page:

-----
*ENVIRONMENT VARIABLES*

*DISTCC_**CMDLIST*
If the environment variable DISTCC_CMDLIST is set, load a list of supported
commands from the file named by DISTCC_CMDLIST, and refuse to serve any
command whose last DISTCC_CMDLIST_MATCHWORDS last words do not match those
of a command in that list. See the comments in src/serve.c.

*DISTCC_**CMDLIST**_**NUMWORDS*
The number of words, from the end of the command, to match. The default is
1.
----
Post by Martin Pool
- run distcc within a chroot/container that contains only the compiler -
ideally, provide a reusable way for other people to set this up - at least
documentation, maybe a script
Post by Martin Pool
- give distccd restrictions on what commands it can run
On Sun Nov 09 2014 at 7:29:12 AM Sebastian Wieseler <
Post by Sebastian Wieseler
Hello Distcc List,
I followed the guide http://wiki.gentoo.org/wiki/Distcc to get Distcc to work with SSH.
I just wondering how to limit the portage user to get a real SSH shell
on the "compiling box".
Post by Martin Pool
Post by Sebastian Wieseler
There should be a way with the .authorized_keys and the command="
"
parameter for the SSH key.
Post by Martin Pool
Post by Sebastian Wieseler
What command will be exactly executed on the remote host within the distcc call?
To just specify command="/usr/bin/distcc" does not work for example.
Is there a way to make this even more secure? I couldn't find any
information on this on the web.
Post by Martin Pool
Post by Sebastian Wieseler
Thanks for helping.
Best Regards,
Sebastian 'kickino'
--
,= ,-_-. =. /"\
((_/)o o(\_)) \ / ASCII Ribbon Campaign
`-'(. .)`-' && X against HTML e-mail
\_/ / \
__
distcc mailing list http://distcc.samba.org/
https://lists.samba.org/mailman/listinfo/distcc
__
distcc mailing list http://distcc.samba.org/
https://lists.samba.org/mailman/listinfo/distcc
Martin Pool
2014-11-18 17:58:30 UTC
Permalink
Thanks, Fergus. But how do those variables get set if it's invoked over ssh?
Post by Martin Pool
Post by Martin Pool
Hi, Sebastian,
I don't recall the exact command, but it's probably going to be `distccd
--inet ...something...`. You might be able to see it in the distcc verbose
log.
Post by Martin Pool
Being able to restrict the command would be good.
However the main problem with this approach is that distccd in turn
executes a client-supplied command, and it at the moment doesn't have a way
to limit that.
Actually we do have a way to limit that, via commands.allow.sh which is
executed by /etc/init.d/distccd and which sets environment variables used
by distccd.
-----
*ENVIRONMENT VARIABLES*
*DISTCC_**CMDLIST*
If the environment variable DISTCC_CMDLIST is set, load a list of
supported commands from the file named by DISTCC_CMDLIST, and refuse to
serve any command whose last DISTCC_CMDLIST_MATCHWORDS last words do not
match those of a command in that list. See the comments in src/serve.c.
*DISTCC_**CMDLIST**_**NUMWORDS*
The number of words, from the end of the command, to match. The default is
1.
----
Post by Martin Pool
- run distcc within a chroot/container that contains only the compiler -
ideally, provide a reusable way for other people to set this up - at least
documentation, maybe a script
Post by Martin Pool
- give distccd restrictions on what commands it can run
On Sun Nov 09 2014 at 7:29:12 AM Sebastian Wieseler <
Post by Sebastian Wieseler
Hello Distcc List,
I followed the guide http://wiki.gentoo.org/wiki/Distcc to get Distcc
to work with SSH.
Post by Martin Pool
Post by Sebastian Wieseler
I just wondering how to limit the portage user to get a real SSH shell
on the "compiling box".
Post by Martin Pool
Post by Sebastian Wieseler
There should be a way with the .authorized_keys and the command="
"
parameter for the SSH key.
Post by Martin Pool
Post by Sebastian Wieseler
What command will be exactly executed on the remote host within the
distcc call?
Post by Martin Pool
Post by Sebastian Wieseler
To just specify command="/usr/bin/distcc" does not work for example.
Is there a way to make this even more secure? I couldn't find any
information on this on the web.
Post by Martin Pool
Post by Sebastian Wieseler
Thanks for helping.
Best Regards,
Sebastian 'kickino'
--
,= ,-_-. =. /"\
((_/)o o(\_)) \ / ASCII Ribbon Campaign
`-'(. .)`-' && X against HTML e-mail
\_/ / \
__
distcc mailing list http://distcc.samba.org/
https://lists.samba.org/mailman/listinfo/distcc
__
distcc mailing list http://distcc.samba.org/
https://lists.samba.org/mailman/listinfo/distcc
--
Martin
Sebastian Wieseler
2014-11-30 21:03:09 UTC
Permalink
Hey Martin!
Post by Martin Pool
I don't recall the exact command, but it's probably going to be `distccd
--inet ...something...`. You might be able to see it in the distcc verbose
log.
This really helped. :-)
my .ssh/authorized_keys file looks now like:
from="xxx.xxx.xxx.xxx",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-pty,command="distccd --inetd" ssh-rsa …

This works totally fine for me.

The problem with a chroot would be, that you would need then a sshd in that chroot as well?
To just encrypt the traffic and have some kind of authentication, a normal sshd should do the job as well.
And since the distcc remote user can only execute "distccd --inetd" it should be ok :)

Thank you very much again!
Regards, Sebastian
--
,= ,-_-. =. /"\
((_/)o o(\_)) \ / ASCII Ribbon Campaign
`-'(. .)`-' && X against HTML e-mail
\_/ / \


__
distcc mailing list http://distcc.samba.org/
To unsubscribe or change options:
https://lists.samba.org/ma
Martin Pool
2014-12-01 19:44:26 UTC
Permalink
Just to be clear, that's not going to stop a determined attacker running
arbitrary commands via distccd. It will stop people accidentally logging in.

I think you wouldn't need a specific sshd in the chroot - perhaps a little
wrapper under the name 'distccd' that moves into that chroot would be
enough, or perhaps we could do something through the users' shell. It would
be nice to document/script this.

On Sun Nov 30 2014 at 1:03:12 PM Sebastian Wieseler <
Post by Sebastian Wieseler
Hey Martin!
Post by Martin Pool
I don't recall the exact command, but it's probably going to be `distccd
--inet ...something...`. You might be able to see it in the distcc
verbose
Post by Martin Pool
log.
This really helped. :-)
from="xxx.xxx.xxx.xxx",no-agent-forwarding,no-port-
forwarding,no-X11-forwarding,no-pty,command="distccd --inetd" ssh-rsa 

This works totally fine for me.
The problem with a chroot would be, that you would need then a sshd in that chroot as well?
To just encrypt the traffic and have some kind of authentication, a normal
sshd should do the job as well.
And since the distcc remote user can only execute "distccd --inetd" it should be ok :)
Thank you very much again!
Regards, Sebastian
--
,= ,-_-. =. /"\
((_/)o o(\_)) \ / ASCII Ribbon Campaign
`-'(. .)`-' && X against HTML e-mail
\_/ / \
Loading...