Re: OpenSSH key blacklisting

[Solar Designer <solar () openwall com>]

On Fri, May 16, 2008 at 09:36:06PM +0200, Robert Buchholz wrote:
> Gentoo is discussing the feature in bug #221759 [1]. Until now, I have 
> not heard a reaction to the patch from our OpenSSH maintainers, so I 
> cannot judge on the technical side of the inclusion.

Thanks for the "bug" reference.  FWIW, the shell script in this comment
is vulnerable itself, in more than one way:

        http://bugs.gentoo.org/show_bug.cgi?id=221759#c9

For example, it lets a user have any other user's or root's
authorized_keys removed, by replacing .ssh with a symlink to someone
else's .ssh directory.  It's just bad practice to access users' files as
root (or as another user); this is difficult to do safely.

Also, it misses authorized_keys2.

> I assume whichever version has the acceptance of the OpenSSH upstream is 
> what most of us would be willing to go with. Did you discuss either 
> blacklist format with them already?

Yes, very briefly.  They don't intend to implement key blacklisting.

I suspect that a worm might change this, though. ;-)

> Personally, I would like to see the feature ported to our distribution 
> sooner than later, but neither at the cost of maintaining patchsets for 
> the rest of existance, nor with high transition cost once upstream 
> accepts another format.

Well, this is difficult to predict correctly.

Alexander