backdoor by authorized_keys2 leftovers

Damien Miller djm at mindrot.org
Wed May 11 14:47:46 EST 2011


On Mon, 9 May 2011, Rado S wrote:

> Hi devs,
> 
> recently I had to replace authorized_keys on several systems to
> enforce an access policy change.
> I was badly surprised that authorized_keys2(!) was still processed,
> which allowed some old keys to enter the systems again, because I
> wasn't aware of the file's existance on the server and use by sshd,
> since this "backward compatibility" isn't documented, not even a
> historical reference about "obsolete" or "deprecated".
> 
> Maybe it's time to drop the old stuff not to get haunted by such
> leftovers again.

Good point - I just committed a change to remove it for openssh-5.9

-d


More information about the openssh-unix-dev mailing list