openssh-unix-dev May 2011 archive
Main Archive Page > Month Archives  > openssh-unix-dev archives
openssh-unix-dev: Re: backdoor by authorized_keys2 leftovers

Re: backdoor by authorized_keys2 leftovers

From: Dan Kaminsky <dan_at_nospam>
Date: Wed May 11 2011 - 06:01:14 GMT
To: Damien Miller <djm@mindrot.org>

Sent from my iPhone

On May 10, 2011, at 9:47 PM, Damien Miller <djm@mindrot.org> wrote:

> On Mon, 9 May 2011, Rado S wrote:
>
>> Hi devs,
>>
>> recently I had to replace authorized_keys on several systems to
>> enforce an access policy change.
>> I was badly surprised that authorized_keys2(!) was still processed,
>> which allowed some old keys to enter the systems again, because I
>> wasn't aware of the file's existance on the server and use by sshd,
>> since this "backward compatibility" isn't documented, not even a
>> historical reference about "obsolete" or "deprecated".
>>
>> Maybe it's time to drop the old stuff not to get haunted by such
>> leftovers again.
>
> Good point - I just committed a change to remove it for openssh-5.9
>

I'd document, rather than remove. I think all my systems use authorized_keys2. You will end up locking users and admins out.

> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev