Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 17 May 2008 01:50:00 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: OpenSSH key blacklisting

On Fri, May 16, 2008 at 09:36:06PM +0200, Robert Buchholz wrote:
> Gentoo is discussing the feature in bug #221759 [1]. Until now, I have 
> not heard a reaction to the patch from our OpenSSH maintainers, so I 
> cannot judge on the technical side of the inclusion.

Thanks for the "bug" reference.  FWIW, the shell script in this comment
is vulnerable itself, in more than one way:

	http://bugs.gentoo.org/show_bug.cgi?id=221759#c9

For example, it lets a user have any other user's or root's
authorized_keys removed, by replacing .ssh with a symlink to someone
else's .ssh directory.  It's just bad practice to access users' files as
root (or as another user); this is difficult to do safely.

Also, it misses authorized_keys2.

> I assume whichever version has the acceptance of the OpenSSH upstream is 
> what most of us would be willing to go with. Did you discuss either 
> blacklist format with them already?

Yes, very briefly.  They don't intend to implement key blacklisting.

I suspect that a worm might change this, though. ;-)

> Personally, I would like to see the feature ported to our distribution 
> sooner than later, but neither at the cost of maintaining patchsets for 
> the rest of existance, nor with high transition cost once upstream 
> accepts another format.

Well, this is difficult to predict correctly.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ