openssh-unix-dev May 2011 archive
Main Archive Page > Month Archives  > openssh-unix-dev archives
openssh-unix-dev: Re: backdoor by authorized_keys2 leftovers

Re: backdoor by authorized_keys2 leftovers

From: Markus Friedl <mfriedl_at_nospam>
Date: Thu May 12 2011 - 18:49:07 GMT
To: Dan Kaminsky <dan@doxpara.com>

looks like we've been waiting too long :)

http://www.openssh.com/txt/release-3.0

2) The files
/etc/ssh_known_hosts2
~/.ssh/known_hosts2
~/.ssh/authorized_keys2
 are now obsolete, you can use
/etc/ssh_known_hosts
~/.ssh/known_hosts
~/.ssh/authorized_keys
 For backward compatibility ~/.ssh/authorized_keys2 will still used for
 authentication and hostkeys are still read from the known_hosts2.
 However, those deprecated files are considered 'readonly'. Future
 releases are likely not to read these files.

On Mittwoch, 11. Mai 2011 at 08:01, Dan Kaminsky wrote:
>
>
> Sent from my iPhone
>
> On May 10, 2011, at 9:47 PM, Damien Miller <djm@mindrot.org> wrote:
>
> > On Mon, 9 May 2011, Rado S wrote:
> >
> > > Hi devs,
> > >
> > > recently I had to replace authorized_keys on several systems to
> > > enforce an access policy change.
> > > I was badly surprised that authorized_keys2(!) was still processed,
> > > which allowed some old keys to enter the systems again, because I
> > > wasn't aware of the file's existance on the server and use by sshd,
> > > since this "backward compatibility" isn't documented, not even a
> > > historical reference about "obsolete" or "deprecated".
> > >
> > > Maybe it's time to drop the old stuff not to get haunted by such
> > > leftovers again.
> >
> > Good point - I just committed a change to remove it for openssh-5.9
>
> I'd document, rather than remove. I think all my systems use authorized_keys2. You will end up locking users and admins out.
>
> > -d
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev@mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev