backdoor by authorized_keys2 leftovers
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon May 16 02:43:12 EST 2011
On 05/14/2011 06:28 PM, Damien Miller wrote:
> Index: sshd_config.5
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
> retrieving revision 1.131
> diff -u -p -r1.131 sshd_config.5
> --- sshd_config.5 8 Dec 2010 04:02:47 -0000 1.131
> +++ sshd_config.5 13 May 2011 12:22:19 -0000
> @@ -170,6 +170,10 @@ is taken to be an absolute path or one r
> directory.
> The default is
> .Dq .ssh/authorized_keys .
> +Multiple files may be listed, either on a single line separated by
> +whitespace or on additional
> +.Cm AuthorizedKeysFile
> +lines.
> .It Cm AuthorizedPrincipalsFile
> Specifies a file that lists principal names that are accepted for
> certificate authentication.
It seems somewhat unclear how AuthorizedKeysFile interacts with a Match
clause.
If the following makes an array of two authorizedkeysfiles:
AuthorizedKeysFile foo
AuthorizedKeysFile bar
then what does this mean for user X:
AuthorizedKeysFile foo
Match user x
AuthorizedKeysFile bar
Is it worth explicitly stating that, for a matching connection, setting
an AuthorizedKeysFile within a Match block explicitly removes all other
AuthorizedKeysFile settings *not* in that match block?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20110515/e28622bf/attachment.bin>
More information about the openssh-unix-dev
mailing list