[Bug 2042] Troubleshooting information should be logged when sshd doesn't have permission to read user's authorized_keys file

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Jul 1 03:10:15 AEST 2022 

https://bugzilla.mindrot.org/show_bug.cgi?id=2042

Janne Ruohomäki <janne.ruohomaki at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |janne.ruohomaki at gmail.com

--- Comment #1 from Janne Ruohomäki <janne.ruohomaki at gmail.com> ---
I seriously think that this issue is way too severe to sit idling for
10 years. 

https://github.com/openssh/openssh-portable/blob/acb2059febaddd71ee06c2ebf63dcf211d9ab9f2/auth2-pubkeyfile.c#L453
https://github.com/openssh/openssh-portable/blob/f5ba85daddfc2da6a8dab6038269e02c0695be44/auth2-pubkey.c#L599

All error messages related to read access to users authorized_keys file
are sent to /dev/null with any sensible production log level. Not only
this makes diagnostics of pubkey authentication credential issues, it
also hides potential brute force attacks as there's no sensible output
in the log files about failed authentication attempts. Now, as the
users authorized_keys file is in users control, including filesystem
access rights and potentially excluding selinux settings, this can make
considerable mess. 

Additionally, there have been problems in several distros breaking
pubkey authentication via messing with selinux configs for
authorized_keys file on larger scale.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658675
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/965663

All it takes to fix this, is change those log levels in
auth2-pubkeyfile.c and auth2-pubkey.c to Warning or Error. 

I would suggest Error as a correct log level for "Could not open %s
'%s': %s" messages because:

1) It directly affects authentication by leaving out configuration
2) The configuration left out is explicitly put in place meant to be
used
3) If not written to log, it masks brute force attacks against certain
user accounts, if read access to config file in control of non-root
user is denied.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list