Full Disclosure: Re: Leveraging pam

Re: Leveraging pam_env to steal DSA keys

From: paul.szabo () sydney edu au
Date: Tue, 31 May 2011 08:48:22 +1000

... http://7bits.nl/projects/pamenv-dsakeys/pamenv-dsakeys.html


Seems to me that CVE-2010-3435 may allow users to determine also:
  password in /etc/lilo.conf
  secret in /etc/bind/named.conf /etc/bind/rndc.conf /etc/bind/rndc.key
  bits of /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_rsa_key
which should all be protected.

Cheers,

Paul Szabo   psz () maths usyd edu au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Leveraging pam_env to steal DSA keys Peter van Dijk (May 30)
- Re: Leveraging pam_env to steal DSA keys paul . szabo (May 30)
  - Re: Leveraging pam_env to steal DSA keys Peter van Dijk (May 31)
    - Re: Leveraging pam_env to steal DSA keys paul . szabo (May 31)