https://bugzilla.mindrot.org/show_bug.cgi?id=2042
Janne Ruohomäki <janne.ruohomaki@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |janne.ruohomaki@gmail.com
--- Comment #1 from Janne Ruohomäki <janne.ruohomaki@gmail.com> ---
I seriously think that this issue is way too severe to sit idling for
10 years.
https://github.com/openssh/openssh-portable/blob/acb2059febaddd71ee06c2ebf63dcf211d9ab9f2/auth2-pubkeyfile.c#L453
https://github.com/openssh/openssh-portable/blob/f5ba85daddfc2da6a8dab6038269e02c0695be44/auth2-pubkey.c#L599
All error messages related to read access to users authorized_keys file
are sent to /dev/null with any sensible production log level. Not only
this makes diagnostics of pubkey authentication credential issues, it
also hides potential brute force attacks as there's no sensible output
in the log files about failed authentication attempts. Now, as the
users authorized_keys file is in users control, including filesystem
access rights and potentially excluding selinux settings, this can make
considerable mess.
Additionally, there have been problems in several distros breaking
pubkey authentication via messing with selinux configs for
authorized_keys file on larger scale.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658675
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/965663
All it takes to fix this, is change those log levels in
auth2-pubkeyfile.c and auth2-pubkey.c to Warning or Error.
I would suggest Error as a correct log level for "Could not open %s
'%s': %s" messages because:
1) It directly affects authentication by leaving out configuration
2) The configuration left out is explicitly put in place meant to be
used
3) If not written to log, it masks brute force attacks against certain
user accounts, if read access to config file in control of non-root
user is denied.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Janne Ruohomäki <janne.ruohomaki@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |janne.ruohomaki@gmail.com
--- Comment #1 from Janne Ruohomäki <janne.ruohomaki@gmail.com> ---
I seriously think that this issue is way too severe to sit idling for
10 years.
https://github.com/openssh/openssh-portable/blob/acb2059febaddd71ee06c2ebf63dcf211d9ab9f2/auth2-pubkeyfile.c#L453
https://github.com/openssh/openssh-portable/blob/f5ba85daddfc2da6a8dab6038269e02c0695be44/auth2-pubkey.c#L599
All error messages related to read access to users authorized_keys file
are sent to /dev/null with any sensible production log level. Not only
this makes diagnostics of pubkey authentication credential issues, it
also hides potential brute force attacks as there's no sensible output
in the log files about failed authentication attempts. Now, as the
users authorized_keys file is in users control, including filesystem
access rights and potentially excluding selinux settings, this can make
considerable mess.
Additionally, there have been problems in several distros breaking
pubkey authentication via messing with selinux configs for
authorized_keys file on larger scale.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658675
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/965663
All it takes to fix this, is change those log levels in
auth2-pubkeyfile.c and auth2-pubkey.c to Warning or Error.
I would suggest Error as a correct log level for "Could not open %s
'%s': %s" messages because:
1) It directly affects authentication by leaving out configuration
2) The configuration left out is explicitly put in place meant to be
used
3) If not written to log, it masks brute force attacks against certain
user accounts, if read access to config file in control of non-root
user is denied.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs