oss-sec mailing list archives
Re: OpenSSH key blacklisting
From: Mike Frysinger <vapier () gentoo org>
Date: Sat, 31 May 2008 08:33:22 +0000 (UTC)
On Sat, 17 May 2008 01:50:00 +0400, Solar Designer wrote:
Thanks for the "bug" reference. FWIW, the shell script in this comment is vulnerable itself, in more than one way: http://bugs.gentoo.org/show_bug.cgi?id=221759#c9 For example, it lets a user have any other user's or root's authorized_keys removed, by replacing .ssh with a symlink to someone else's .ssh directory. It's just bad practice to access users' files as root (or as another user); this is difficult to do safely. Also, it misses authorized_keys2.
while the issues you raise are certainly valid in the general case, i wrote it for use on a constrained system -- users are not allowed login nor are they allowed to control any files directly. it's a gforge system, so all keys are managed via a web interface and the ssh backend is only for committing to svn/cvs/git repositories. so in this setup, none of the concerns you raise need to be accounted for. i leave it up to others to extend it for their own safe use ;). -mike
Current thread:
- Re: OpenSSH key blacklisting, (continued)
- Re: OpenSSH key blacklisting Tim Brown (May 28)
- Re: OpenSSH key blacklisting Sebastian Krahmer (May 28)
- Re: OpenSSH key blacklisting Tim Brown (Jun 02)
- Re: OpenSSH key blacklisting Sebastian Krahmer (Jun 02)
- Re: OpenSSH key blacklisting Nathanael Hoyle (Jun 04)
- Re: OpenSSH key blacklisting The Fungi (Jun 04)
- Re: OpenSSH key blacklisting Nathanael Hoyle (Jun 04)
- Re: OpenSSH key blacklisting Jonathan Smith (Jun 04)
- Re: OpenSSH key blacklisting Nathanael Hoyle (May 28)
- Re: OpenSSH key blacklisting Florian Weimer (May 28)
- Re: OpenSSH key blacklisting Mike Frysinger (May 31)
- Re: OpenSSH key blacklisting Solar Designer (May 16)
- Re: OpenSSH key blacklisting Gustavo De Nardin (spuk) (May 16)