backdoor by authorized_keys2 leftovers
Damien Miller
djm at mindrot.org
Wed May 11 14:47:46 EST 2011
On Mon, 9 May 2011, Rado S wrote:
> Hi devs,
>
> recently I had to replace authorized_keys on several systems to
> enforce an access policy change.
> I was badly surprised that authorized_keys2(!) was still processed,
> which allowed some old keys to enter the systems again, because I
> wasn't aware of the file's existance on the server and use by sshd,
> since this "backward compatibility" isn't documented, not even a
> historical reference about "obsolete" or "deprecated".
>
> Maybe it's time to drop the old stuff not to get haunted by such
> leftovers again.
Good point - I just committed a change to remove it for openssh-5.9
-d
More information about the openssh-unix-dev
mailing list