[Bug 227] New: 2nd Client Instance Can Login Without Authorization

[bugzilla-daemon at mindrot.org]

http://bugzilla.mindrot.org/show_bug.cgi?id=227

           Summary: 2nd Client Instance Can Login Without Authorization
           Product: Portable OpenSSH
           Version: 3.1p1
          Platform: ix86
        OS/Version: Linux
            Status: NEW
          Severity: security
          Priority: P2
         Component: sshd
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: drchang at hawaii.edu


I'm using Red Hat Linux 7.2 with the Red Hat binary RPM version of OpenSSH 3.1p1.

I've noticed 
that when I'm logged in to the server from my local network using SSH2 and public key 
authentication, if I log in from another SSH2 client, an unauthorized key will be able to login to 
the server. Additionally, if a valid key is present on the 2nd client, no passphrase will be 
prompted for when connecting. In each instance, I'm logging into the same user account. 

In 
summary, if I'm logged in already, and I then I login using another client using public key 
authentication, the 2nd instance will not require a valid key for the server. All forms of 
authentication by host have been disabled in sshd_config.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.