Date: Fri, 27 Jan 2012 09:59:49 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Yves-Alexis Perez <corsac@...ian.org> Subject: Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients On 01/27/2012 03:40 AM, Yves-Alexis Perez wrote: > On jeu., 2012-01-26 at 19:49 -0500, Marc Deslauriers wrote: >>> Please use CVE-2012-0814 for this issue. Also please let me know if >>> other Linux distributions are affected! >>> >>> >> >> Looks like this (I haven't tried...): >> >> http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54 > > By the way, is the ForceCommand (and other directives) really supposed > to be private for different keys (or, more widely, for different matches > for the same user). > > Regards, I created three separate keys, so three separate accounts. I can't see any valid reason that account #3 (that is the third key listed) should be able to see the first and second force commands. These commands could contain sensitive commands/passwords (e.g. log in with a key to trigger some automated job by the backup user) for example. -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ