0

With iOS 12 and the new Siri Shortcuts app, I've been thinking of ways I could leverage the SSH command capability in the app. For those of you who don't know, the app allows you to send a bash file or string to stdin and returns stdout as a plain-text file, connecting using password authentication (no token authentication).

What I'd like to do is create a shortcut that executes sudo shutdown [...] on a remote server via the SSH command action. Since the action is non-interactive and non-tty I can't interactively enter the password, and I'm reluctant to put the password as plaintext in the action input string/stdin. On the other hand, I don't want to use sudo -n and NOPASSWD for the shutdown command, as that's a security risk that I don't want to deal with. I thought of perhaps requiring a random string for the shutdown message for NOPASSWD to be enabled in the sudoers file (i.e., sudo shutdown -h now would require a password, but sudo shutdown -h now japos98vh92p3hoab982hfpa would not), but I don't know if that's any more secure or even possible.

In summary, how can I securely send a shutdown command over SSH using a non-interactive, non-tty session?

Matt
  • 165
  • 8
  • Unless I'm missing something, you've set the requirement "This must require a password" and also the requirement "I am not able to provide a password". From a security perspective, this seems like a pretty clear "Working as intended: you can't". If you're looking for tips using the Siri Shortcuts App for complex or higher-security SSH tasks, then that would be a StackOverflow / AskDifferent / SuperUser question. – Mike Ounsworth Sep 19 '18 at 19:44
  • @MikeOunsworth It's not "this must require a password" so much as "this must be secure" – Matt Sep 19 '18 at 20:31
  • Yeah, but "secure" by itself is not a thing, like, that doesn't grammar. You need to tell us what you're trying to be secure _against_. Check out [this handy questionnaire](https://www.eff.org/keeping-your-site-alive/evaluating-your-threat-model) to help you figure out your threat / risk model. The wording of your question seems pretty clear that `NOPASSWD` is _"a security risk that I don't want to deal with"_. Like, it sounds like you've set your security bar, then realized that your client can't meet it, and are stuck trying to make them fit together. – Mike Ounsworth Sep 19 '18 at 21:50
  • For example, whether your solution of`sudo shutdown -h now japos98vh92p3hoab982hfpa` meets your security requirements depends on what your security requirements are. The usual security model of `sudo` requires a hands-on-keyboard admin to type the password. Are you willing to weaken this to "_anybody with your phone_"? Or "_Anybody who can see your Siri history_"? Or "_Anybody who can see your bash history?_". Only you can decide what you consider "secure". – Mike Ounsworth Sep 19 '18 at 21:57
  • 1
    I'm being kinda sassy and I feel bad. I'll take a shot at writing a real answer. – Mike Ounsworth Sep 19 '18 at 21:59
  • @MikeOunsworth haha it's alright. I'm trying to learn and your feedback is helpful. I suppose I'm trying to secure against someone who has access to the command I send via SSH from being able to access my machine (i.e., by seeing a plaintext account password), yet still keeping a password prompt when using `sudo`. – Matt Sep 19 '18 at 22:22

2 Answers2

1

There are a bunch of different questions in here, some of which are not security questions (for example "how to use sudo over a non-interactive SSH session" is really a programming / superuser question), and some of which only you can answer (what counts as "secure").

So instead of answering your question directly, I'll point out some security things to think about relating to your two proposals.

I don't want to use sudo -n and NOPASSWD for the shutdown command, as that's a security risk that I don't want to deal with.

You may need to elaborate on what that security risk is and why you don't want to deal with it. Clearly you're OK with Siri knowing your username and password to SSH in, which, if the iOS devs were to build in a mechanism for handling sudo prompts or an attacker were to extract your username/passwd from Siri's storage, would be enough to perform any admin action on that machine.

The reason that sudo needs a password is to prevent you downloading malware in firefox, and then it turning itself into root. From the use-case you describe in your question, whether ssh user@machine 'sudo cmd' requires you to type your password once or twice doesn't make a difference from a security perspective; either the attacker knows your password, or they don't.

sudo shutdown -h now japos98vh92p3hoab982hfpa

I don't know how you would accomplish this (but would love to learn if you can explain how in comments!). Skipping that (and any potential security holes you open in the process), I suppose this becomes a second admin password so that an attacker needs to know both your account password and this "admin password" in order to execute shutdown. This "admin password" will show up in more places: in plaintext in the Siri app, in the bash history for your user, in the process tree while it's running (try ps -u), and probably other places -- there's a reason things like sudo take passwords via stdin, not via command-line arguments.

So assuming

  1. An attacker has gotten in to your account - either over SSH or because you downloaded malware in firefox and ran it
  2. You have run this command before and it's in your bash history

I'm not sure there's any difference security-wise between this and setting shutdown to be NOPASSWD.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • 1
    I've given a bit of a security analysis for your two proposals. Your question is really asking "Is there a way to do this?", which I don't know the answer to, and is really more of a "HowTo use this Siri app" question than a security question :/ As a security tester professionally, I'm usually better at breaking things than fixing them. – Mike Ounsworth Sep 19 '18 at 22:32
  • See my answer below for how I ended up accomplishing this. – Matt Nov 26 '18 at 02:38
0

I figured out how to do it using NOPASSWD and a random string. I added the following lines to my sudoers file:

matt  ALL=(ALL) NOPASSWD: /sbin/shutdown -h now japos98vh92p3hoab982hfpa
matt  ALL=(ALL) NOPASSWD: /sbin/reboot japos98vh92p3hoab982hfpa

This worked just like I wanted. :)

Matt
  • 165
  • 8