Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients

[Kurt Seifried <kseifried () redhat com>]

On 01/27/2012 03:40 AM, Yves-Alexis Perez wrote:
> On jeu., 2012-01-26 at 19:49 -0500, Marc Deslauriers wrote:
> > > Please use CVE-2012-0814 for this issue. Also please let me know if
> > > other Linux distributions are affected!
> >
> > Looks like this (I haven't tried...):
> >
> > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54 
>
> By the way, is the ForceCommand (and other directives) really supposed
> to be private for different keys (or, more widely, for different matches
> for the same user).
>
> Regards,

I created three separate keys, so three separate accounts. I can't see
any valid reason that account #3 (that is the third key listed) should
be able to see the first and second force commands. These commands could
contain sensitive commands/passwords (e.g. log in with a key to trigger
some automated job by the backup user) for example.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)