Date: Sun, 2 Mar 2014 17:45:48 -0500 From: Eitan Adler <eadler@freebsd.org> To: Mark Felder <feld@freebsd.org> Cc: freebsd-stable <freebsd-stable@freebsd.org>, Jilles Tjoelker <jilles@stack.nl> Subject: Re: ssh-copy-id Message-ID: <CAF6rxgntCb2MBVR_GGJH2s2ba1wb9CHCtsUmQ9FKsdfmmmAWSw@mail.gmail.com> In-Reply-To: <1393686144.13293.89322249.7BB6D2F8@webmail.messagingengine.com> References: <2cba8fd9cc51dedc1bd5e127046f4ab7@dweimer.net> <1393618827.9046.89104957.4A974C56@webmail.messagingengine.com> <ea6804d070e9b2e4393eaca2fa45d938@dweimer.net> <1393625741.9928.89141917.3B723B0F@webmail.messagingengine.com> <CAF6rxg=SBno64BpmxcvddQFpnAePFHKZ%2B1kp1a%2BAY5F6-xQsMA@mail.gmail.com> <20140228234214.GA23514@stack.nl> <CAF6rxgkn_hZd5G7ef80BF%2BPfnAxXnAOYrmkohXKVrL5ddvC=Aw@mail.gmail.com> <1393686144.13293.89322249.7BB6D2F8@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1 March 2014 10:02, Mark Felder <feld@freebsd.org> wrote: > > > On Fri, Feb 28, 2014, at 21:11, Eitan Adler wrote: >> On 28 February 2014 18:42, Jilles Tjoelker <jilles@stack.nl> wrote: >> > On Fri, Feb 28, 2014 at 06:08:10PM -0500, Eitan Adler wrote: >> >> On 28 February 2014 17:15, Mark Felder <feld@freebsd.org> wrote: >> >> .... >> > >> >> > In my opinion, if I'm using an ssh utility and I specify "-i" flag it >> >> > should be the private key. >> > >> >> Hey all, >> > >> >> Sorry about the confusion ssh-copy-id has caused you. >> > >> >> Does the following patch help ? >> > >> > In addition to that, it may be useful to add an explicit check against >> > sending private keys. Even though printf(1) fails, the receiving server >> > still gets the private key and a malicious root user might steal it. >> > >> > For example, any key starting with '-' is inappropriate. >> >> I thought about adding a check for private keys. However such a check >> is insufficient since the user may have supplied other private files >> accidentally such as /etc/passwd or a GPG key. >> > > I suppose you could whitelist certain types of keys and only permit > those to be used with ssh-copy-id and exit/error if something else is > fed to it. I still have some trauma from seeing libmagic used in security sensitive contexts. However, in this case adding a whitelist based on file(1) is not a terrible idea. I'll try to work on this, but no promises. I'd be happy to review if you come up with a patch. -- Eitan Adler Source, Ports, Doc committer Bugmeister, Ports Security teams
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAF6rxgntCb2MBVR_GGJH2s2ba1wb9CHCtsUmQ9FKsdfmmmAWSw>