Date: Sat, 31 May 2008 08:33:22 +0000 (UTC) From: Mike Frysinger <vapier@...too.org> To: oss-security@...ts.openwall.com Subject: Re: OpenSSH key blacklisting On Sat, 17 May 2008 01:50:00 +0400, Solar Designer wrote: > Thanks for the "bug" reference. FWIW, the shell script in this comment > is vulnerable itself, in more than one way: > > http://bugs.gentoo.org/show_bug.cgi?id=221759#c9 > > For example, it lets a user have any other user's or root's > authorized_keys removed, by replacing .ssh with a symlink to someone > else's .ssh directory. It's just bad practice to access users' files as > root (or as another user); this is difficult to do safely. > > Also, it misses authorized_keys2. while the issues you raise are certainly valid in the general case, i wrote it for use on a constrained system -- users are not allowed login nor are they allowed to control any files directly. it's a gforge system, so all keys are managed via a web interface and the ssh backend is only for committing to svn/cvs/git repositories. so in this setup, none of the concerns you raise need to be accounted for. i leave it up to others to extend it for their own safe use ;). -mike
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.