Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 27 Jan 2012 09:59:49 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Yves-Alexis Perez <corsac@...ian.org>
Subject: Re: CVE Request: Debian (others?) openssh-server:
 Forced Command handling leaks private information to ssh clients

On 01/27/2012 03:40 AM, Yves-Alexis Perez wrote:
> On jeu., 2012-01-26 at 19:49 -0500, Marc Deslauriers wrote:
>>> Please use CVE-2012-0814 for this issue. Also please let me know if
>>> other Linux distributions are affected!
>>>
>>>
>>
>> Looks like this (I haven't tried...):
>>
>> http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54 
> 
> By the way, is the ForceCommand (and other directives) really supposed
> to be private for different keys (or, more widely, for different matches
> for the same user).
> 
> Regards,

I created three separate keys, so three separate accounts. I can't see
any valid reason that account #3 (that is the third key listed) should
be able to see the first and second force commands. These commands could
contain sensitive commands/passwords (e.g. log in with a key to trigger
some automated job by the backup user) for example.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ