Use of non-user readable (null password) private keys
mouring at etoh.eviladmin.org
mouring at etoh.eviladmin.org
Tue Mar 27 23:45:02 EST 2001
On Tue, 27 Mar 2001, Piete Brooks wrote:
> Executive summary: Why can I not have a private key which is `public' ?
>
>
Example:
* UserA has ~/.ssh/id_rsa readable by everyone on MachineA
* UserA copied ~/.ssh/id_rsa.pub to MachineB and put it in their
~/.ssh/authorized_keys2
* UserB finds ~UserA/.ssh/id_rsa being readable and steals the key.
* UserB learns that UserA logs into MachineB using non-interactive key
exchange method.
* UserB copies stolen key to his ~/.ssh/ and now does: ssh UserA at MachineB.
Security has now been compermised.
> Gory details ....
>
> I'm new to openssh. I've been using ssh for years. However, I'm in the process
> of investigating RH 7.* (0.91 at the moment) and am wanting to be as
> `standard' as possible, so trying openssh.
>
> I looked on http://www.openssh.com/list.html but could not find a list for
> "general OpenSSH discussion", but this was the closest match, so I'll call it
> a bug :-)
>
This list doubles as a lot of things. And luckly the traffic is not
extremely high. =)
> We use a client/server model with no `user' accounts on servers.
> There are certain operations which a user may require to run with certain
> privs, and we use ssh to do this. The capability may be given to an individual
> user (user-only-readable in their .ssh/), a group (using UN*X group semantics)
> or may be accessible to all users of a particular machine or set of machines
> (e.g. when a user changes their password, a process is woken up on the
> password server).
>
> This all worked fine under ssh, but under openssh load_private_key() does a
> (st.st_mode & 077) != 0) {
> and then complains that it is readable and won't use it. (it says "It is
> recommended that your private key files are NOT accessible by others." but
> appears to implement somewhat more than a `recommendation' !)
>
> Is this bug intended as a feature ? [ :-) ]
>
I would not consider this a bug. It's a safety feature to protect the
user from doing stupid things. (As shown in the example above). I don't
see why the 'private' key should be allowed to be made public. Feel free
to explain why such behavior is not correct. I can't see how allowing
everyone to read/steal my keys is considered a Good Thing(tm). =)
- Ben
More information about the openssh-unix-dev
mailing list