openssh-unix-dev May 2011 archive
Main Archive Page > Month Archives  > openssh-unix-dev archives
openssh-unix-dev: Re: backdoor by authorized_keys2 leftovers

Re: backdoor by authorized_keys2 leftovers

From: Dan Kaminsky <dan_at_nospam>
Date: Thu May 12 2011 - 19:14:02 GMT
To: Markus Friedl <mfriedl@gmail.com>

On Thu, May 12, 2011 at 11:49 AM, Markus Friedl <mfriedl@gmail.com> wrote:

> looks like we've been waiting too long :)
>
> http://www.openssh.com/txt/release-3.0
>
> 2) The files
> /etc/ssh_known_hosts2
> ~/.ssh/known_hosts2
> ~/.ssh/authorized_keys2
> are now obsolete, you can use
> /etc/ssh_known_hosts
> ~/.ssh/known_hosts
> ~/.ssh/authorized_keys
> For backward compatibility ~/.ssh/authorized_keys2 will still used for
> authentication and hostkeys are still read from the known_hosts2.
> However, those deprecated files are considered 'readonly'. Future
> releases are likely not to read these files.
>

In no uncertain terms, removal of authorized_keys2 support will cause
outages, up to and including requiring physical access for administrators to
resolve. Documentation is not an excuse to make this change.

It's completely reasonable, desirable even, to allow a new configuration
option to explicitly define the set of files that can contain authorized
keys. It'd even be convenient to have an AuthorizationCommand option, that
sent properly escaped strings to a command for external testing and
validation.

>
> On Mittwoch, 11. Mai 2011 at 08:01, Dan Kaminsky wrote:
> >
> >
> > Sent from my iPhone
> >
> > On May 10, 2011, at 9:47 PM, Damien Miller <djm@mindrot.org> wrote:
> >
> > > On Mon, 9 May 2011, Rado S wrote:
> > >
> > > > Hi devs,
> > > >
> > > > recently I had to replace authorized_keys on several systems to
> > > > enforce an access policy change.
> > > > I was badly surprised that authorized_keys2(!) was still processed,
> > > > which allowed some old keys to enter the systems again, because I
> > > > wasn't aware of the file's existance on the server and use by sshd,
> > > > since this "backward compatibility" isn't documented, not even a
> > > > historical reference about "obsolete" or "deprecated".
> > > >
> > > > Maybe it's time to drop the old stuff not to get haunted by such
> > > > leftovers again.
> > >
> > > Good point - I just committed a change to remove it for openssh-5.9
> >
> > I'd document, rather than remove. I think all my systems use
> authorized_keys2. You will end up locking users and admins out.
> >
> > > -d
> > > _______________________________________________
> > > openssh-unix-dev mailing list
> > > openssh-unix-dev@mindrot.org
> > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev@mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
>
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev