oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OpenSSH key blacklisting

From: Mike Frysinger <vapier () gentoo org>
Date: Sat, 31 May 2008 08:33:22 +0000 (UTC)
On Sat, 17 May 2008 01:50:00 +0400, Solar Designer wrote:

Thanks for the "bug" reference.  FWIW, the shell script in this comment
is vulnerable itself, in more than one way:

      http://bugs.gentoo.org/show_bug.cgi?id=221759#c9

For example, it lets a user have any other user's or root's
authorized_keys removed, by replacing .ssh with a symlink to someone
else's .ssh directory.  It's just bad practice to access users' files as
root (or as another user); this is difficult to do safely.

Also, it misses authorized_keys2.


while the issues you raise are certainly valid in the general case, i 
wrote it for use on a constrained system -- users are not allowed login 
nor are they allowed to control any files directly.  it's a gforge 
system, so all keys are managed via a web interface and the ssh backend 
is only for committing to svn/cvs/git repositories.  so in this setup, 
none of the concerns you raise need to be accounted for.  i leave it up 
to others to extend it for their own safe use ;).
-mike
Previous By Date Next
Previous By Thread Next

Current thread: