none
Whitelist a command - client to server SSH RRS feed

  • Question

  • Hi everyone!

    I'm working on a project in which a client can send file to a server through SSH. I'm using C#, so I'm using Renci library and SftpClient class. But I have a problem: if the user of the machine, in which the client is executing, wants to send some commands to server (through cmd and OpenSSH), he can do it (for example he can reboot the server machine).

    To avoid that, I want to "whitelisting" the command that the a client can do (only the copy of the files). How I can do that? 

    Thursday, October 3, 2019 8:40 AM

Answers

  • Compare the "command" the user sends to a list of allowed commands.

    //Totally guessing on what your code looks like
    void DoWork ( string command, string arguments )
    {
       if (!AllowedCommand(command))
          throw new InvalidOperationException("Invalid command");
    
       //Send command
    }
    
    //Stored somewhere
    List<string> allowedCommands = new List<string>() {
         "Allowed1", "Allowed2"
     };
    
    bool AllowedCommand ( string command )
    {
       return allowedCommands.Any(c => String.Compare(c, command, true) == 0);
    }

    Of course if your code is actually command aware (e.g. command1 needs to call OnCommand1, command2 calls OnCommand2, etc) then you're likely using either a dictionary or switch statement. In their case if you don't find a match then it is an unsupported command so you can fail the call at that point. No need to whitelist anything as it is implied by your code.

    If the command is part of a larger object (or part of a string) then you'll need to pick apart the object/string to get the base command. That is an implementation detail.


    Michael Taylor http://www.michaeltaylorp3.net

    Thursday, October 3, 2019 2:38 PM
    Moderator