backdoor by authorized_keys2 leftovers

Espen Fjellvær Olsen efo at
Wed May 11 16:42:34 EST 2011

On 11. mai 2011 08:23, Jameson Graef Rollins wrote:
> On Tue, 10 May 2011 23:01:14 -0700, Dan Kaminsky<dan at>  wrote:
>> I'd document, rather than remove. I think all my systems use
>> authorized_keys2.  You will end up locking users and admins out.
> I definitely agree with this sentiment.
> I also think that being able to specify multiple authorized_keys files
> is very useful, so I would prefer to just see this as a documented
> feature.
> jamie.
I say either remove it, or make it a configuration option to disable it.
Where authorized_keys are controlled by the AuthorizedKeysFile option, 
authorized_keys2 are not, which makes our distribution regimes a bit 
troublesome as we will have to make use of /etc/ssh/sshrc to 
delete/die/remove/something if %h/.ssh/authorized_keys2 is found.

Espen Fjellvær Olsen
Basefarm AS

More information about the openssh-unix-dev mailing list