backdoor by authorized_keys2 leftovers

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu May 12 00:44:17 EST 2011


On 05/11/2011 07:48 AM, Damien Miller wrote:
> Perhaps we should make options.authorized_keys_file an array to let
> people who want to use multiple files do so.

There are at least two bugzilla issues open about this:

  https://bugzilla.mindrot.org/show_bug.cgi?id=172
  https://bugzilla.mindrot.org/show_bug.cgi?id=1684

Either way, the current arrangement is pretty counter-intuitive, so i'm
glad something is being done to resolve it.

In the current setup, IIRC, if AuthorizedKeysFile is not set, then both
~/.authorized_keys and ~/.authorized_keys2 are parsed.  But if
AuthorizedKeysFile *is* set, then that and only that is parsed (no
~/.authorized_keys2).  This is confusing/surprising no matter which
direction you're coming from.

Thanks for addressing the issue,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20110511/26f3297e/attachment.bin>


More information about the openssh-unix-dev mailing list