oss-sec mailing list archives
Re: OpenSSH key blacklisting
From: Robert Buchholz <rbu () gentoo org>
Date: Sat, 17 May 2008 16:46:30 +0200
On Friday 16 May 2008, Solar Designer wrote:
Thanks for the "bug" reference. FWIW, the shell script in this comment is vulnerable itself, in more than one way: http://bugs.gentoo.org/show_bug.cgi?id=221759#c9 For example, it lets a user have any other user's or root's authorized_keys removed, by replacing .ssh with a symlink to someone else's .ssh directory.
Do you mean the race condition between finding and removing the key? Otherwise, I cannot see how to have someone else's removed.
I assume whichever version has the acceptance of the OpenSSH upstream is what most of us would be willing to go with. Did you discuss either blacklist format with them already?Yes, very briefly. They don't intend to implement key blacklisting.
That's not too helpful for our case. Do you have a patch to propose, implementing your idea? There has been approval of your idea inside Gentoo's hardened team. Robert
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- OpenSSH key blacklisting Solar Designer (May 16)
- Re: OpenSSH key blacklisting Craig Edwards (Brain) (May 16)
- Re: OpenSSH key blacklisting Solar Designer (May 16)
- Re: OpenSSH key blacklisting Vincent Danen (May 16)
- Re: OpenSSH key blacklisting Robert Buchholz (May 16)
- Re: OpenSSH key blacklisting Solar Designer (May 16)
- Re: OpenSSH key blacklisting Robert Buchholz (May 17)
- Re: OpenSSH key blacklisting Solar Designer (May 17)
- Re: OpenSSH key blacklisting Robert Buchholz (May 17)
- Re: OpenSSH key blacklisting Solar Designer (May 17)
- Re: OpenSSH key blacklisting Kees Cook (May 18)
- Re: OpenSSH key blacklisting Solar Designer (May 18)
- Re: OpenSSH key blacklisting Kees Cook (May 19)
- Re: OpenSSH key blacklisting Solar Designer (May 16)
- Re: OpenSSH key blacklisting Kees Cook (May 19)
- Re: OpenSSH key blacklisting Craig Edwards (Brain) (May 16)
- Re: OpenSSH key blacklisting Kees Cook (May 18)
- Re: OpenSSH key blacklisting Matthias Andree (May 20)
- Re: OpenSSH key blacklisting Solar Designer (May 27)