Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 27 Jan 2012 09:59:49 -0700

On 01/27/2012 03:40 AM, Yves-Alexis Perez wrote:
On jeu., 2012-01-26 at 19:49 -0500, Marc Deslauriers wrote:
Please use CVE-2012-0814 for this issue. Also please let me know if
other Linux distributions are affected!



Looks like this (I haven't tried...):

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54 

By the way, is the ForceCommand (and other directives) really supposed
to be private for different keys (or, more widely, for different matches
for the same user).

Regards,

I created three separate keys, so three separate accounts. I can't see
any valid reason that account #3 (that is the third key listed) should
be able to see the first and second force commands. These commands could
contain sensitive commands/passwords (e.g. log in with a key to trigger
some automated job by the backup user) for example.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]