Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <g1r2gi$96g$1@ger.gmane.org>
Date: Sat, 31 May 2008 08:33:22 +0000 (UTC)
From:  Mike Frysinger <vapier@...too.org>
To: oss-security@...ts.openwall.com
Subject:  Re: OpenSSH key blacklisting

On Sat, 17 May 2008 01:50:00 +0400, Solar Designer wrote:
> Thanks for the "bug" reference.  FWIW, the shell script in this comment
> is vulnerable itself, in more than one way:
> 
> 	http://bugs.gentoo.org/show_bug.cgi?id=221759#c9
> 
> For example, it lets a user have any other user's or root's
> authorized_keys removed, by replacing .ssh with a symlink to someone
> else's .ssh directory.  It's just bad practice to access users' files as
> root (or as another user); this is difficult to do safely.
> 
> Also, it misses authorized_keys2.

while the issues you raise are certainly valid in the general case, i 
wrote it for use on a constrained system -- users are not allowed login 
nor are they allowed to control any files directly.  it's a gforge 
system, so all keys are managed via a web interface and the ssh backend 
is only for committing to svn/cvs/git repositories.  so in this setup, 
none of the concerns you raise need to be accounted for.  i leave it up 
to others to extend it for their own safe use ;).
-mike

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.