Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 27 Jan 2012 09:59:49 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Yves-Alexis Perez <corsac@...ian.org>
Subject: Re: CVE Request: Debian (others?) openssh-server:
 Forced Command handling leaks private information to ssh clients

On 01/27/2012 03:40 AM, Yves-Alexis Perez wrote:
> On jeu., 2012-01-26 at 19:49 -0500, Marc Deslauriers wrote:
>>> Please use CVE-2012-0814 for this issue. Also please let me know if
>>> other Linux distributions are affected!
>>>
>>>
>>
>> Looks like this (I haven't tried...):
>>
>> http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54 
> 
> By the way, is the ForceCommand (and other directives) really supposed
> to be private for different keys (or, more widely, for different matches
> for the same user).
> 
> Regards,

I created three separate keys, so three separate accounts. I can't see
any valid reason that account #3 (that is the third key listed) should
be able to see the first and second force commands. These commands could
contain sensitive commands/passwords (e.g. log in with a key to trigger
some automated job by the backup user) for example.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.