[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The keychain package, its debconf templates, the security hole induced


You know, I'm parent. You look a lot like my son when he doesn't get
his way. When I don't do what he wants, he would start screaming and
making noise. I have learned that is better to ignore him for a while
until he calms down and we can have a normal conversation. If you have
contacted me instead of having a tantrum, you would have known that I made
a mistake and I would have worked with you to have your bug report resolved
to your satisfaction. I think that is why people receive emails from the
Bug tracking system. So, people can verify if the Bug was resolved or
not. Please contact me once you feel that you are ready to have a normal 
conversation. I will work with you to have the bug resolved.

Cesar Mendoza
"Hell, n. - The state of being the richest man in 
the world and knowing something exists that you can't buy. 
Have a kleenex, Bill."
  --Black Parrot (Referring to Bill Gates and Linux)

On Fri, Jan 21, 2005 at 10:22:02AM +0100, Martin Quinson wrote:
> Hello,
> as part of my current effort of getting rid of packages using debconf
> without providing support to translators, I had a bug repport against the
> keychain package asking simply to drop this template:
> Description: Information for people upgrading from versions prior to 2.0.
>  With this new version of keychain, the output of ssh-agent will be
>  redirected to the ~/.keychain/[hostname]-{c}sh files.  Any cron job or
>  login script that uses keychain needs to be updated to use the new
>  directory location.
>  .
>  For more information please read the man page.
> IMHO, it's clearly a debconf abuse which should be changed to a
> README.Debian entry. Moreover, the message is shown each time without even
> checking whether the user upgrades from an old version or not (what a pitty
> to show this on new installs). Not speaking from the fact that it's called
> from postinst instead of config and will thus stop the installation process
> right in the middle.
> My bug was close with a laconic changelog entry:
>   * l10n changes Closes: #235812,#259567,#262738,#266356,#274900,#192165
> And now, I'm mad about this. 
> A closer check to the package reveals that it's only useful if you want to
> open a security risk on your machine. All info relatives to the ssh-agent
> are written into a well known file, allowing cron jobs and attackers to use
> them without prior knowledge of your passwords.
> Dudes. There is a reason why those informations are not written to file by
> ssh itself. If my local machine gets corrupted, I'm happy to see the
> password I've set on my keys slowing down the attacker enough to allow me
> dropping the ssh keys from remote hosts. 
> You should at least speak about the potential security risk in the
> description. 
> I'd drop the package from the archive right away. I have several cron jobs
> using ssh keys (a new key for each cron, without pass and allowed to do only
> one specific command on the remote host).
> So, please do at least the following to your package:
>  - speak about the potential security hazard in description
>  - check the pre-installed version before showing your crufty template (or
>    use README.Debian, it's what it's good for)
>  - use a proper config script instead of blocking the install with a db_get
>    in the postinst (just read the debconf documentation)
>  - do usefull changelog entries in your packages in the future.
> Bye, Mt.

Reply to: