-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove ability for gvm
user to obtain shell and restrict the port-forwards possible
#181
Comments
The issue is that the GVM connects to a UNIX socket to talk to the scanner. That is the reason that the "scanner id" exists so that each scanner has a unique filename. You can see the script that is used to connect here. Adding the following should be possible but I have not yet tested.
If you have any other ideas on how we could improve the security of the remote scanners that would be helpful. |
We can do something like described here: https://www.skreutz.com/posts/unix-domain-socket-forwarding-with-openssh/ |
Is your feature request related to a problem? Please describe.
Currently it appears
sshd_config
is restricted to thegvm
user with nicely appropriate authentication and encryption settings.However, this
sshd_config
does not prevent thegvm
user from being able to establish a shell or creating arbitrary port-forwards.In the undesirable situation where the associated SSH private-key ends up in the wrong hands it would be better if the
gvm
user had less freedoms and was more limited in what it can achieve beyond the ssh-port-forward requirement.Describe the solution you'd like
Add restrictions to
sshd_config
and thegvm
user by introducing configuration items as suggested below - I do not have a test/development environment available to confirm the config below can be cut-n-paste into place - presented here as a guide and outline the intent.Describe alternatives you've considered
None
Additional context
None
The text was updated successfully, but these errors were encountered: