oss-sec mailing list archives
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise
From: Axel Beckert <abe () deuxchevaux org>
Date: Sat, 30 Mar 2024 22:46:17 +0100
Hi Andres, On Sat, Mar 30, 2024 at 12:48:50PM -0700, Andres Freund wrote:
FWIW, RSA_public_decrypt is reachable, regardless of server configuration, when using certificate based authentication.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Wait, do you really mean SSH keys verified by certificates issued by a (usually internal, SSH-specific) certificate authority (CA) for a key? See e.g. https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Certificate-based_Authentication what certificate-based authentication in SSH actually means. From my experience certificate-based SSH authentication (i.e. those algorithms with *-cert-* in their names) is rather rare, while simple public key authentication (where you just put your according pubkey into .ssh/authorized_keys) is very common. Can you clarify if you really meant that solely certificate based authentication (with certificates issued by a CA) triggers that code path or if you actually meant all sorts of public key based authentication in general? Kind regards, Axel -- PGP: 2FF9CD59612616B5 /~\ Plain Text Ribbon Campaign, http://arc.pasp.de/ Mail: abe () deuxchevaux org \ / Say No to HTML in E-Mail and Usenet Mail+Jabber: abe () noone org X https://axel.beckert.ch/ / \ I love long mails: https://email.is-not-s.ms/
Attachment:
signature.asc
Description:
Current thread:
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise, (continued)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jonathan Schleifer (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jonathan Schleifer (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Fay Stegerman (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jonathan Schleifer (Mar 30)
- RE: backdoor in upstream xz/liblzma leading to ssh server compromise Thomas Ward (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Axel Beckert (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jeffrey Walton (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)