backdoor by authorized_keys2 leftovers
Espen Fjellvær Olsen
efo at basefarm.no
Wed May 11 16:42:34 EST 2011
On 11. mai 2011 08:23, Jameson Graef Rollins wrote:
> On Tue, 10 May 2011 23:01:14 -0700, Dan Kaminsky<dan at doxpara.com> wrote:
>> I'd document, rather than remove. I think all my systems use
>> authorized_keys2. You will end up locking users and admins out.
> I definitely agree with this sentiment.
>
> I also think that being able to specify multiple authorized_keys files
> is very useful, so I would prefer to just see this as a documented
> feature.
>
> jamie.
I say either remove it, or make it a configuration option to disable it.
Where authorized_keys are controlled by the AuthorizedKeysFile option,
authorized_keys2 are not, which makes our distribution regimes a bit
troublesome as we will have to make use of /etc/ssh/sshrc to
delete/die/remove/something if %h/.ssh/authorized_keys2 is found.
--
BR
Espen Fjellvær Olsen
Basefarm AS
More information about the openssh-unix-dev
mailing list