Ira,
> On Feb 4, 2020, at 9:52 AM, Ira McDonald <blueroofmusic at gmail.com> wrote:
>> Hi Mike,
> ...
> My own intuition is that remote shells should not be used in HCDs
> because, if there is any implementation bug in the shell (e.g., SSH),
> then a privilege execution attack becomes easy to implement. Do
> you disagree with that recommendation?
SSH is used in a lot of network equipment (routers, in particular) where it is a means of doing configuration. You aren't dropped into a bash shell, it is a restricted environment specifically for the purpose of configuration and maintenance, and there are no standards for a lot of that configuration and maintenance.
My pragmatic recommendation is that if (and only if) a HCD needs a secure mechanism for remote configuration or maintenance that is not handled by an existing standard protocol, and the vendor uses a command-oriented interface for doing so, the vendor should use SSH to wrap their interface. Historically such interfaces have used TELNET (!) or other clear-text "protocols" which are obviously insecure.
Thankfully the list of potential things you'd need such an interface for continues to grow shorter over time, and many of these interfaces have been replaced with web-based alternatives (with their own set of security issues, not the least of which is web browsers not liking self-signed IoT certs...), but as a security guideline we should (IMHO) be pragmatic and provide guidance that is most likely to be followed.
________________________
Michael Sweet